Authorization is the second step, before that you will need an authentication check to make sure that the one who logs in is indeed who (s)he says (s)he is (that is the usual login-id and password stuff).

It is a bit difficult to see how you can authenticate through e-mail (perhaps putting the log-in and password in the body of the e-mail? But that is not secure at all as anybody who intercepts the e-mail will know your log-in and password). Simply checking for the e-mail address of the sender is of course not enough as e-mail headers are far too easily spoofed. Anyone who has taken the Spam 101-course will know how to do it.