Secret shared key in Email token

I see the email token is based on OCRA which is based on HMAC.

HMAC relies on a secret shared key and a moving factor.
I assume the moving factor in the email challenge is the transaction ID buth how does the shared key works in this scenario and how is it connected to the user?

Interesting - where do you take OCRA from?

The Email token is derived from the HOTP token.
So the moving factor is the counter that is increased when the user requests an OTP value.