Typically hardware keys are used to replace authentication apps. This also has a physical requirement so that if you leave your token plugged in it would be non responsive until you touch the pad, push the button or it read your fingerprint. This prevents thieves from trying to brute force data from your key if your machine is compromised. But the requirement for a login/password and the result of computation from a hardware token is what is going on. To setup the parties derive keys using a method that prevents you from intercepting the key even if you are watching the transaction. The Timed one time password is likely the least secure strategy but the one everyone implements. The server send you something encrypted with the key you agreed on, you decrypt it, hash it with the current time, encrypt it and send it back. It decrypts and validates it received what it expected. Other methods provide more security. Things like mutual authentication, where using math your can ensure you are talking with who you think you are and they can verify that you are who you say you are. Also the session can be encrypted with a key explicitly setup for a single session or transaction. This prevents you from recording a session and if you figure out the users key in the future you cannot go back and examine what you discussed/transacted in the past. This is typically called Perfect Forward Secrecy. When implementing payment systems we had 4 keys, one to verify the server, one the user used to verify itself to the server, one that was created when you logged on to a session and destroyed at logoff. The fourth was a special session key that was created any time a money movement was done.
