That depends on the kind of services they provide. Simplest options that come to mind are nothing (like this wesbsite) or a printed reset code with owner notification on use and 1-day wait period. At the very least they can allow power users to disable password resets when they want.

Nothing is extremely painful for a federated identity protocol (although I think it should be a clear option for those of us who take these things seriously!). Printed reset codes are part of the way there, but how many people will actually save or print out the file?

SMS confirmation is another mechanism, and one that is viable in most of the world, but has a different set of risks.

I think a combination of these are a good approach, but this is a really tough problem in the identity space, and if you have any suggestions on how to improve it in a way that is viable for a large user base, your feedback would be greatly appreciated!