An automatic login URL is a mechanism whereby an existing but logged out user of your website or application can click a link with a random token and be automatically recognized and logged-in to your website. Often these mechanisms are used in other fashions such as password resets.
I am wondering what some "defense in depth" security measures are that you suggest when building an "automatic login" mechanism that reduces risk of user account compromise.
Is there anything that can be done beyond the typical measures?
- Token with short expiration time
- Token that can only be used once