Today a user can use the same mobile phone for password reset by using text message / phone call and authenticator app...

To view the text message, answer the call and / or accept the push notification it is not necessary to unlock the phone.

So what's the use of forcing two methods for password reset?

We need an option to prevent user from reset password by using app notification and phone message / call. The Authenticator App could access the mobile phone number, used by the device and the admin should have the option to prevent accepting push notifications in lock screen.