How does direct debit work
There are two standard ways to build such a device:
Time-based. The device has a secret key K (known only to the device and to your bank). When you press the button, The device computes F(K, T) (where T is the current time) and outputs it as a 6-digit code.
Your bank, which also knows K. can compute the same function. To deal with the fact that the clocks might not be perfectly synchronized, the bank will compute a range of values and test whether the 6-digit code you provide falls anywhere in that range. In other words, the bank might compute F(K, T-2). F(K, T-1). F(K, T). F(K, T+1). F(K, T+2). and if the code you provide matches any of those 5 values, the bank accepts your login.
I suspect this is not how your device works, since your device always gives you a different value every time you press the button.
Sequence-based. The device has a secret key K (known only to the device and to your bank). It also contains a counter C. which counts how many times you have pressed the button so far. C is stored in non-volatile
memory on your device. When you press the button, the device increments C. computes F(K, C). and outputs it as a 6-digit code. This ensures that you get a different code every time.
The bank also tracks the current value of the counter for your device, and uses this to recognize whether the 6-digit code you provided is valid. Often, the bank will test a window of values. For instance, if the last counter value it saw was C. then the bank might compute F(K, C+1). F(K, C+2). F(K, C+3). F(K, C+4) and accept your 6-digit code if it matches any of those four possibilities. This helps ensure that if you press the button once and then don't send it to the bank, you can still log on (you aren't locked out forevermore). In some schemes, if there is a gap in codes (e.g. because you pressed the button a few times and then didn't send the code to the bank), you will need to enter two consecutive valid codes before the bank will log you on.
Based upon what you've told us, I would hypothesize that your device is probably using the sequence-based approach.Source: security.stackexchange.com