As far as I understood, if somebody else scanned the same token, they would just login with their own account (if they have one).

Whoever logged in first would invalidate the hexhexhex token and the second person would need to start another browser session.