Token lifespan is the value of a certain expiration date of the generated token. The expired tokens will be deleted either once the user tries to log in or WP-Cron runs a clean-up task.
For the security concern, we encourage using a short lifespan for tokens, 5 minutes is a sweet spot and the plugin comes with that default.
Magic Login 1.2+ allows entering 0 as token TTL. In that case, token clean-up routines will be bypassing and the token will last forever.
PS: Regardless of lifespan, all tokens can only be used once.