“That’s the big benefit of the token system, it doesn’t matter if gets stolen. Since that token is only useful for your machine for about an hour “
I’m in over my head here but could we say that it’s good as long as your email address can’t be spoofed?
Spoof the email address, doesn’t matter. The token gets formed using hashed information that identifies your machine (there’s various unique parts to every computer) so even within your own house a token you make on 1 machine couldn’t be transferred to another. Login to the same place that uses tokens on both they will both need and use their own token. It’s probably possible to find a way to spoof those unique things into the token, but it’s hard, again only good for an hour, then the token expires.