How does the 6 digits number in multifactor authentication works?
What is that 6 digits number in the authenticator app? Why those numbers change every 30 seconds? How are they generated? How does the server know that this is the correct number? How does it work offline?
Also, why do we need to scan a QR code when setting it up? What does the QR code contains? How secure is the whole system? What are the limitations? What to consider if implementing a server to support this authentication method?
We will start with a some simple intuitive explanation and slowly go into the technical details and algorithms. Hopefully you can answer all the above questions after reading this. This is not a high level explanation of why it's good to have MFA, or how to deploy it, there are plenty of resources explaining that already. This article focus on the details of the technology under the hood.
