Reusing OneTimeTokenAuthenticationToken for both authenticated and unauthenticated instances leads to a lack of cohesion since the fields used do not overlap.
Separating them into OneTimeTokenAuthentication (authenticated) and OneTimeTokenAuthenticationToken (unauthenticated) simplifies OneTimeTokenAuthenticationToken as it will at that point only have one constructor.
This aligns with other token-based authentications like BearerTokenAuthenticationToken (unauthenticated) and BearerTokenAuthentication (authenticated).