it depends on a few details mainly how important the data is to be protected

for ex in healthcare you have to be a lot more careful and use additional measures

we send out emails to invite people to sign up but once they are signed up they have to do additional steps to validate their identity

this can be as simple as 2 factor auth with SMS or email or as complex as a questionnaire based on data from a credit check (ie past addresses, cars owned etc)

as far as a link to be sent out we generally create time sensitive links that expire after a certain time and use a hash.