My confusion here is that if you're doing that, why bother with the cryptography? You can just look the person up in the company database, call them, and say "Hey! Did you just request a password reset?".

If one of your pre-requisites is "There is a trusted out-of-band way for me to validate comms with this person", the crypto is just extra bits.