Re: and basically impossible to test for.
I've written a Google Authenticator clone that runs to about one screenful of Perl, if you strip out delimiting line breaks and comments.
The same function (which looks like a fiendish version of a mind-reading parlour trick) is used in the authenticator app (which is air-gapped from the client side) and the server login process, to generate a stream of numbers from the timestamp divided by 30 (so the code is valid for long enough to type it in, send it over the network and check it; you can optionally check against the code from 30 seconds ago, in case it changed while in transit) and a pre-shared key (in the QR code; anyone who sees that QR code can generate the stream of numbers).