Spoof the email address, doesn’t matter. The token gets formed using hashed information that identifies your machine (there’s various unique parts to every computer) so even within your own house a token you make on 1 machine couldn’t be transferred to another. Login to the same place that uses tokens on both they will both need and use their own token. It’s probably possible to find a way to spoof those unique things into the token, but it’s hard, again only good for an hour, then the token expires.
“information that identifies your machine”
I’ve heard that each individual cpu chip has a unique identification that can be accessed and then obviously put into an outgoing message. The outgoing message could be spoofed too.
An outgoing message could be spoofed to anything desired.
Don’t know whether this is a weakness of the token scheme.
The ultimate hack would be someone standing beside the person with access ability threatening him if he doesn’t open the door.