This takes a bit of work, but it's worth it.
First off, don't reset the password - do nothing with it immediately.
Then send an email (Easy:
Sending an Email in C# with or without attachments: generic routine.[
^])
The email contains the a message saying "We have received a password reset request on your account. If you requested this, click here: xxx If you didn't, do nothing" and providing a URL to a page, along with a unique code which accesses a DB table of requests. That page then asks the user to confirm, and if he does allows him to enter a new password.
If he doesn't click the link in 24 hours, the code expires and gets deleted in routine maintenance.