[trhaynes]

https://en.wikipedia.org/wiki/Time-based_One-Time_Password

[owaislone]

Doesn't that mean the client holds the keys/secret of some sort is shared with the client so it can either generate or verify?

[mfollert]

you only need the pub key to verify