On the demo(http://totp-authentication-demo.herokuapp.com/) you provided,I created one account and bind totp to my 1password, and valid for the first time with 903992, wait for the totp changed and try another validation with 903992, show validation passed. And then i tried again with the newly generated totp password, which turns to be another validation pass.
If one of the totp password leaked, then it becames unsafe....