Which security measure best applies to self-service password reset?

When securing self-service password resets, layering verification, controlled delivery, and monitoring is essential. Multi-Factor Challenges require more than just the password—typically combining something the user knows with something they have or are—so an attacker who compromises the password still can’t complete the reset. Limiting reset channels ensures the reset link or code goes only to trusted, registered contact points, reducing the chance that an attacker intercepts or steals it through an unverified path. Abuse monitoring adds ongoing protection by detecting unusual or rapid reset attempts, triggering rate limits or blocks, and alerting admins to potential abuse. This combination creates multiple barriers that make unauthorized resets much harder, while still allowing legitimate users to recover access. The other options remove critical protections: skipping identity verification leaves no proof of identity; allowing unlimited resets invites abuse; and using shared reset codes can be easily leaked or reused.