How OTP codes are created when logging in with 2FA

When you are attempting to access an account, application, website or service that is protected by a one time password the required code is normally obtained in one of the following ways;

1. The code is sent to your authenticating device (either via an SMS message, an email or possibly an automated phone call).
2. The code is generated by an application (such as google authenticator) installed on one of your devices (mobile phone, laptop or computer).
3. The code is generated by a self-contained hardware device (hardware token) that would normally displays the required code on an LCD display (some devices may act as keyboards and type the OTP into the field for you when a button is pressed, and other devices produce an audio equivalent for people with vision loss).

If the message is sent via SMS then the service provider will use an SMS service (such as Twilio) who will forward the message via a mobile network operator.
If the code is generated by an app, then the app would previously have received seed data via one of your messaging channels, and this seed data will be used to generate the code on the application. Using this method the service provider only sends data to you the one time (seed data), and this data is then used locally to generate the OTP.
If hardware tokens are used, then the OTP is generated by the token itself. The service provider does not need to send anything to the user as the tokens are normally pre-seeded (seed data would have been installed during manufacture, and the seed details would be passed to the service providers together with the tokens). Using this method the service providers pass on the means to generate the required OTP codes simply by passing to the required users the hardware tokens.