What you could do, fairly similar to what Bart suggested:
Needed for this solution:
You may also want to add a scheduled event to clean up PasswordResetRequests older than a certain amount of time. (For example a few days)
We did build such a function using Login Widget which we modified to include a forgot password hyperlink.
This hyperlink uses a Deeplink (widget) to open directly a form on a special/dedicated entity in the application.
Setting up Guest login in project settings and minimal rights to get to this form without login in.
Now let the person enter his email and handle stuff in a microflow after commit of this special entity like setting a random password and sending it by email (AppStore module).