How do WordPress Nonces Work?

I am trying to understand how WordPress nonces work in terms of security. nonce stands for a number used once, but according to WordPress, it can be valid for up to 24 hours, which makes no sense. It could be used 9999 times during this period (by same client).

I thought that a WordPress nonce is really a number used once and that a nonce is valid only for one-time usage, but that’s not the case. I guess for a better security, a one-time usage number would be better, e.g. you have a commenting system and someone clicks on “reply” two times. Instead of inserting the comment two times, it is being inserted one time, because of the one-time valid nonce (same one) given in the two requests.

Am I getting something wrong? What is the purpose of those WordPress nonces?

If you read WordPress Nonces in Codex, they have explained it pretty fairly. some of the key points are:

1. always assume Nonces can be compromised.
2. Nonces are a hash made up of numbers and letters.
3. WordPress Verifies any https request with both nonces and user cookies.

I believe point #3 is, in short, is how it works with WordPress. They have mentioned that use current_user_can() function instead of wordpress nonces.

As for the purpose, I believe, it serves basic purpose of multilayer security. Read this Are Nonces Useless