Next token mode is applied in cases where the authentication process requires additional verification of the token code. The user is asked to enter the next token code, that is, wait for the number that is currently displayed on the authenticator to change, and enter the new number (without the PIN).

Note: When using RSA and Kerberos Constrained Delegation (KCD), the user password will not be authenticated which may result in unsecured access – particularly if RSA operates in token code only mode. While many RSA implementations use token code and PIN, others just use token code.