My query is just how closely are the time stamps on the app, which presumably could be using the phone network or be via a wireless internet link, and the web page, which is almost certain to be via an internet connection, tied to synchronisation?
Generally speaking if a new code is generated every 30 seconds, then
at a minimum the system can tolerate clock synchronization errors of up to 2*30 seconds (< 1 minute).
I only post to give some background info. My wife has an on-line bank account. Whenever she is online and wishes to transfer money to somewhere else - at some point in the transaction she has a to click a button on her PC and almost instantly her mobile phone 'dings' as it receives a text with a secure code from the internet bank that she then has to input to the PC in order to proceed.
If that secure code text is via SMS then it can't be considered secure and hopefully her bank will implement a more robust solution soon.