If the PIN is correct and the encryption valid, the server will generate a random OTP and encrypt it with the user's public key. It will be decrypted by the user's private key,  the 'something they have' and presented to the user.  (It is also decrypted by the one-time use AES key.)

The WiKID Admin can set the OTP lifetime to whatever they deem appropriate. 

The user can enter this OTP as they would any password.  Whatever they are logging into will validate that the OTP is valid for that registered user.

Note that because the OTP incorporates both the something you know and something you have, it represents both factors.  There is no need for the user to enter a password. 

That's it.  The user has a very simple process to get the passcodes and all the encryption is between you and the tokens.