Even though the current implementation works as a HOTP client, there is nothing saying that the implementation cannot be updated to also work as the validating server. One could for example have a simple device (a security token only generating one time passwords) and use the TEE as a validating service to open up other secure services.