The thing about computers is that they’re not actually very good at being random: the fact that computers are very very good at following programs and routines means they’re very *not* good at *not* following routines.

That’s why random number generators (RNGs) are more properly called *pseudo*random number generators: they look random, but if you know the math equations being used to generate them, and the starting number (the “seed”), you can know the entire sequence of numbers.

Your authenticator device and the server you’re logging into both have the same equations and starting number, so it’s trivially easy to check that you’re entering the same number and, therefore, possess the authenticator.