I haven't had much to do with Firebase Authentication, but I would have thought that a new token would be issued every time the user logs in. If that's the case, then if the user gets a new device, installs your app & then logs in to his account, he should get a new token - which would make the old one invalid.
I could be wrong, but it should be easy enough for you to test the theory.