They work on mathematical functions, and to calculate each key (by key I mean the number that is generated and that you enter for authorization), either a counter or sequential hashing is used.
Roughly speaking, the token contains some one-way function f(x) , and some starting number k . The server also knows what function and what number is used in the token linked to your account.
If it's a counter model, then your function calculates f(k) and then kincreases by one (or changes in any other way, the main thing is that according to a well-known algorithm). If these are sequential calculations of the key, then each next key is the result of the function on the previous key, that is, f(k) is calculated , then f(f(k)) , f(f(f(k))) , and so on.
Accordingly, each time you click on the button, the token calculates the next key. When you enter it for authorization, the server also calculates the same key and compares them.

> you can safely pull out the battery, put it back
And if you pull it out, wait a couple of weeks and only then put it back in?

en.wikipedia.org/wiki/%D0%9E%D0%B4%D0%BD%D0%BE%D1%80%D0%B0%D0%B7%D0%BE%D0%B2%D1%8B%D0 %B9_%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D1%8C
habrahabr.ru/post/154229/
There are two principles -
f (T, IV) - Code based on time and code initialization, clock complexity
f(n,IV) — Code based on the attempt number and initialization code, the complexity is in the ability of the server not to know about the attempt made.
And who told you that there are no clocks there? The clock inside mikruha can go for years from the charge in the capacitor

Alternatively, the bank does not need to know this one-time password at all. It is enough for him to receive a certain document signed by an EDS registered with a bank (certifying center) for a specific client. The token has built-in cryptographic means, with which you submit a document at the entrance, authorize using a one-time password for signing with a private key (it is stored in the token, there is no way to get it using the token), and at the output you get the EDS of the document, which, together with the document, is transferred to the bank and checked there (of course, the bank must have a public key that corresponds to a private one).

I looked here one of the banking tokens in linux. iBank, it seems. lsusb honestly said - the SIM card is in the USB reader.

habrahabr.ru/post/105268/

The clock is definitely there, even if you don't believe it. Try entering a code that is outdated for at least a second ...

Another one of the options.
The principle of their operation must be divided into several stages:
1. Preparatory: the generation center is deployed in the network infrastructure of the bank, its parameters are written to the software that initializes the tokens (the config is sewn up and passwords are generated), the firmware number and serial number are read, the group is updated.
2. Initialization: tokens go through the initialization procedure (now they know where to break), CA certificates can be entered, a group is allowed on the equipment or the number of tokens that are allowed access is increased, a password is generated for the user (usually in pin-conferencing)