Hi Rupesh
That was my warning on the post I linked you to
Quite a few PSS solutions have this as a setup (even SCN). The key thing you are reliant on is that the email account must be restricted to only the user to receive the password/link as well as appropriate Challenge Response Questions defined as part of their registration.
But yes, they can technically enter any User id to request the password and if they know the answers to the questions then they will get the password issue.
Your alternatively is to introduce another system (i.e. AD which you ruled out) or see if there is a way to introduce a second factor authentication (I don't believe this is delivered with GRC).
Regards
Colleen