This could be a huge security issue allowing users to access wallets with private key without logging in; Even though the team is trying to secure a successful token distribution with multi level verification between email and telegram the security issue lies in the fact a users machine could have key loggers, malware, or spyware.

if a machines computer is infected the url and private key is logged recording the exact website the key is used for.

being this secure you don't even have the 2fa working yet and your issuing tokens?

The solution should require user to login and implement 2fa in order to access the web wallet and tokens; this way if a hacker does have the private key at lease he can't access the web wallet without logging in.

Can you please report back on this.. If you lose your coins the team is sure not going to reimburse any token holders.