Explanation of token synchronization.
AES Tokens are synced based on time. A mathematical hash determines what the OTP response will be given the current time. We keep the same mathematical hash stored in the token object that is in AD. Every time a 2FA response is requested, we take the response that is generated from the token and compare it to what it should be giving us according to the time.
Now, if the time is off by a few seconds or minutes, we allow for the time shift in small increments. If it's off by a large margin, we will require two 2FA responses before authenticating the user. If you open the token properties in AD and go to the details tab, there's an attribute stored there for "Token time shift". This attribute keeps track of the time differential for each token.
AES tokens are time sensitive, OATH tokens are not time based. If time is suspected to be related to the issue, OATH tokens can be deployed to troubleshoot and remove time from the list of possible causes.