But can't you implement all three with a temporary password as well? Make the password valid for 24 hours only and when the user logs in with their temporary password perform any kind of extra verification and if that's passed then also force the user to change their password. Seems like the same thing.
The website I noticed on the front page (sunsuper.com.au) was doing precisely this (although their TTL was 90 days which is indeed far too long and it's impossible to tell whether they forced a password reset or simply recommended a password change).
Yes, but using a token is better for usability and trust since that wont make it possible to lock out other users by clicking the forgot password link, and I as a user will think it is more likely someone doing token based resets has done security correctly.
The website I noticed on the front page (sunsuper.com.au) was doing precisely this (although their TTL was 90 days which is indeed far too long and it's impossible to tell whether they forced a password reset or simply recommended a password change).