The thing about computers is that they’re not actually very good at being random: the fact that computers are very very good at following programs and routines means they’re very *not* good at *not* following routines.

That’s why random number generators (RNGs) are more properly called *pseudo*random number generators: they look random, but if you know the math equations being used to generate them, and the starting number (the “seed”), you can know the entire sequence of numbers.

Your authenticator device and the server you’re logging into both have the same equations and starting number, so it’s trivially easy to check that you’re entering the same number and, therefore, possess the authenticator.

The general idea: when 2fa is first set up, a secret value is generated by the service and shared with the user. The authenticator app and website both store this.

A set of math operations is performed on that secret value and the current time to generate a one time use password. The web service also calculates this (and sometimes one or more past codes as well to accommodate slight timing errors), and compares the two.

A user who is able to generate a correct code for the current time is presumed to be the account holder, as in theory, nobody should have access to that secret value since it was shared between the device and server.