The general idea: when 2fa is first set up, a secret value is generated by the service and shared with the user. The authenticator app and website both store this.

A set of math operations is performed on that secret value and the current time to generate a one time use password. The web service also calculates this (and sometimes one or more past codes as well to accommodate slight timing errors), and compares the two.

A user who is able to generate a correct code for the current time is presumed to be the account holder, as in theory, nobody should have access to that secret value since it was shared between the device and server.