The indexed secret Token is based on a shared secret between eduMFA and the user. During authentication the user is asked for random positions from this known secret.