All authenticators are doing the same thing. It's a time-based, one-time use pass code. There's no data going back and forth between the authenticator app and Google, they are just both using the same algorithm to generate the code based on the time of day. Since no one knows that algorithm, it's not possible to figure out that code. They use a "one-way hashing" technique to do this. Just because the user has the 6-digit result on the authenticator does not mean anyone could go backwards to figure out what the key is.
This is all part of two-factor authentication, which really enhances security. It requires not only something the user knows (a password), but also something the user has (their phone, or a device). Leo believes this is really important now with the recent security breaches.