I see the email token is based on OCRA which is based on HMAC.
HMAC relies on a secret shared key and a moving factor.
I assume the moving factor in the email challenge is the transaction ID buth how does the shared key works in this scenario and how is it connected to the user?