That's exactly how I have it implemented. But I'm letting ASP.Net Identity handle it for me.
However, for domain users, we authenticate against AD.
>When they click the reset password link, generate a token and expiration date/time and store it into their account. E-mail the user a link that contains this token. Then create a page that can receive this token, verify the token and make sure it hasn't expired and display a field to change the password. On save, update the password hash and clear the token/expiration. Maybe also log the last password reset date/time.
Craig Berntson
MCSD, Microsoft .Net MVP, Grape City Community Influencer