Nowadays I would nearly always seek to use OAuth to offload the problem onto someone else. Auth0 or Okta or Google or GitHub or someone like that. Life is too short to write forgotten password flows.