I second this feature request. I’ve also created a similar feature request, specifically to require their current password as a second factor in order to reset. This is in line with OWASP 4.0 ASVS 2.1.6 requirements - https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf