Similar as the feature provided by Facebook - it will be great if the password reset emails are sent encrypted to recovery email addresses (public key must be imported prior to that).

Extending this functionality - a user should be able to reset his/her password by sending a PGP signed email from external email address (again - public key must be importer prior to that).

This will help preventing account takeover if the recovery email is compromised.