I mean, if they knew who was requesting the password reset, then you wouldn’t need to reset the password, just accept whatever auth mechanism allows them to know who is resetting the password.