Indeed I think we could use the session. This mean that the user/password should be checked against the real password but also against the active session.
Also I think the workflow to reset the password will be to remove the current one and just send a session by email. Then when the user login, we have a wizard to set the password if the user has no password.
We could also have on the client side a way to request to reset the password and sent it by email but in this case we should not clear the password because it could become a way to denial the user.