[Terr_]

A workaround for this "email-based authentication" problem (without going to a full "make an account with a password" step) is to use temporary one-time codes, so that it doesn't matter if the URL gets accidentally shared.

1. User visits "private" link (Or even a public link where they re-enter their e-mail.)

2. Site e-mails user again with time-limited single-use code.

3. User enters temporary code to confirm ownership of e-mail.

4. Flow proceeds (e.g. with HTTP cookies/session data) with reasonable certainty that the e-mail account owner is involved.