[Cryptography] Is this a solved problem?

[Henry Baker]

What I will describe is a standard problem in ecommerce today.

A company has a web site, which customers have to 'log into'
in order to view & purchase products.

The company may also have a smartphone 'app' which provides
equivalent capabilities for viewing & purchasing products.

Nowadays, companies also have 2FA, which sometimes requires
that one not only log into the website & provide a password,
but also respond to an email or a text message sent to an
email address or a smartphone.

So, the company also mails out special promotions for its
better customers to their email addresses (most likely
the same ones that they utilize for 2FA).  Clearly, if a
customer receives the email on their 2FA account, then they
are already authenticated. So a link in that email should
take them to an *already-logged in* web page.  It is a very
irritating hassle for such a link to require that the
customer log in again.

But companies don't want these links to work if this customer
emails these links to his/her buddies.  Aside from them not
being preferred customers of the company, these buddies would
also -- in effect -- be logging in as the original email
recipient, and could conceivably buy products which would
be charged to the original email recipient.

Now most smartphone 'apps' are considered 'personal', and
many/most don't require logging in when they are utilized.
So such an emailed link would prefer to open the smartphone
app rather than a web page in the user's preferred browser.
But we still have the same problem if this link activates
the same 'app' on one of the buddies' smartphones.

So how can the company make a 'link' that only operates for
the original recipient of the email, and not for anyone else
who somehow gains access to this link?

Are there any 'standard'/'preferred' solutions to this problem?