[withinboredom]

Use a security key like yubikey to verify it’s the same person. I dunno if the default yubikey requires a pin AND touch, but mine does... even if you steal it, you don’t know the pin. These days you can also use Apple touch and windows hello in webauthn. So, there’s that.

Another possibility is requiring a payment with a payment method they’ve used before and then credit their account with the amount. Forcing 3D secure on that transaction should cut down on fraudulent take overs; or at least shift the liability from you, somewhat.

If you have an app, you can also allow them to authorize the password reset from the app on a computer (or vice versa).

Lastly, you could just not have a password to forget. :)