@tulpa "I wouldn't" doesn't cut it. People often forget passwords. It's paramount there exist some mechanism to reset it.
The main weakness of the established method (just send an email) is that people reuse passwords.
A better approach is requiring 2FA be turned on at all times. So, even after confirming access to the email address, you must now additionally confirm ownership by way of using TOTP codes.