OATH Compliant (Desktop Tokens such as iToken, Android, when programmed as OATH Compliant HMAC/SHA1):
The token response is valid until used - there is no time limit.
Windows/Mobile type tokens:
The responses are valid for ~5 minutes. This is true for synchronous Desktop Tokens such as iToken, Android, etc., when programmed using 3DES, AES or Defender SNK. This means that when a new token response is displayed on the device it can be used within a five minute period.
Note: 3DES or AES may work longer than 5 minutes only for the first 5 responses generated by the token as this is the time that the clock on the Mobile device synchronizes with Defender.
Hardware Vasco tokens (Go-x):
The response is valid for a length of time (over 15 mins). For the Vasco Go-x tokens if the 'Use Synchronous tokens as Event tokens' option is selected on the token policy then the same response can be used multiple times up until the time that the token would no longer be displayed on the device i.e. 36 seconds. If 'Use Synchronous tokens as Event tokens' option is not selected then the token response can only be used once.
You may notice that token responses sometimes last for less than 5 minutes. This is due to an offset applied by the Defender Security Server when the token is activated.
If a new response is generated, the previous reponse should still work also, as long as it's within the time window - for Desktop Tokens the response will only work once as they are OTP tokens.