Пароль vs MFA

1. Shared Secret: The server and your app share a base32 secret key. This is never transmitted after setup.

2. Current Time: Both sides check the current Unix time, usually rounded to 30-second windows (steps).

3. HMAC Calculation: The app computes an HMAC-SHA1 hash using the Secret + Time Step.

4. Truncation: The resulting 160-bit hash is truncated to a 6-digit integer. This creates the code you see on your phone.