diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 528052a3..331a0269 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -875,10 +875,12 @@ static int action_resize(void)
 		if (isLUKS2(crypt_get_type(cd))) {
 			/* try load VK in kernel keyring using token */
 			r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
-						  ARG_INT32(OPT_TOKEN_ID_ID), NULL,
-						  ARG_STR(OPT_TOKEN_TYPE_ID),
-						  CRYPT_ACTIVATE_KEYRING_KEY,1, true,
-						  ARG_SET(OPT_TOKEN_ONLY_ID));
+						  ARG_INT32(OPT_TOKEN_ID_ID),
+						  NULL, ARG_STR(OPT_TOKEN_TYPE_ID),
+						  CRYPT_ACTIVATE_KEYRING_KEY,
+						  1, true,
+						  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+						  NULL);
 
 			if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
 				goto out;
@@ -1829,7 +1831,9 @@ static int action_open_luks(void)
 		r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID),
 					  ARG_INT32(OPT_TOKEN_ID_ID), activated_name,
 					  ARG_STR(OPT_TOKEN_TYPE_ID), activate_flags,
-					  set_tries_tty(false), true, ARG_SET(OPT_TOKEN_ONLY_ID));
+					  set_tries_tty(false), true,
+					  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+					  NULL);
 
 		if (r >= 0 || r == -EEXIST || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
 			goto out;
@@ -2707,7 +2711,9 @@ static int action_luksResume(void)
 	/* try to resume LUKS2 device by token first */
 	r = luks_try_token_unlock(cd, ARG_INT32(OPT_KEY_SLOT_ID), ARG_INT32(OPT_TOKEN_ID_ID),
 				  action_argv[0], ARG_STR(OPT_TOKEN_TYPE_ID), 0,
-				  set_tries_tty(false), false, ARG_SET(OPT_TOKEN_ONLY_ID));
+				  set_tries_tty(false), false,
+				  ARG_SET(OPT_TOKEN_ONLY_ID) || ARG_SET(OPT_TOKEN_ID_ID) || ARG_SET(OPT_TOKEN_TYPE_ID),
+				  NULL);
 
 	if (r >= 0 || quit || ARG_SET(OPT_TOKEN_ONLY_ID))
 		goto out;
diff --git a/src/utils_luks.c b/src/utils_luks.c
index 5ceda995..d7021a7f 100644
--- a/src/utils_luks.c
+++ b/src/utils_luks.c
@@ -310,7 +310,8 @@ int luks_try_token_unlock(struct crypt_device *cd,
 			  uint32_t activate_flags,
 			  int tries,
 			  bool activation,
-			  bool token_only)
+			  bool retry_with_pin,
+			  struct crypt_keyslot_context **r_kc)
 {
 	int r;
 	struct crypt_keyslot_context *kc;
@@ -326,15 +327,15 @@ int luks_try_token_unlock(struct crypt_device *cd,
 		return r;
 
 	if (activation)
-		r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, NULL, activate_flags);
+		r = crypt_activate_by_keyslot_context(cd, activated_name, keyslot, kc, CRYPT_ANY_SLOT, kc, activate_flags);
 	else
 		r = crypt_resume_by_keyslot_context(cd, activated_name, keyslot, kc);
 
 	tools_keyslot_msg(r, UNLOCKED);
 	tools_token_error_msg(r, token_type, token_id, false);
 
-	/* Token requires PIN (-ENOANO). Ask for it if there is evident preference for tokens */
-	if (r != -ENOANO || (!token_only && !token_type && token_id == CRYPT_ANY_TOKEN))
+	/* Token requires PIN (-ENOANO). */
+	if (r != -ENOANO || !retry_with_pin)
 		goto out;
 
 	if (token_id == CRYPT_ANY_TOKEN)
@@ -368,6 +369,10 @@ int luks_try_token_unlock(struct crypt_device *cd,
 		check_signal(&r);
 	} while (r == -ENOANO && (--tries > 0));
 out:
-	crypt_keyslot_context_free(kc);
+	if (r >= 0 && r_kc)
+		*r_kc = kc;
+	else
+		crypt_keyslot_context_free(kc);
+
 	return r;
 }
diff --git a/src/utils_luks.h b/src/utils_luks.h
index 10f85a77..3af163e5 100644
--- a/src/utils_luks.h
+++ b/src/utils_luks.h
@@ -51,6 +51,7 @@ int luks_try_token_unlock(struct crypt_device *cd,
 			  uint32_t activate_flags,
 			  int tries,
 			  bool activation,
-			  bool token_only);
+			  bool retry_with_pin,
+			  struct crypt_keyslot_context **r_kc);
 
 #endif /* UTILS_LUKS_H */