The best measure? Ditch the password. It can be reset anyway, it can be stolen, it's just unnecessary complexity, it doesn't provide any security.

You can prove ownership of the email? You can log in - worst case, after a password reset. So why have a password?

email: ______________ [Log in]

The "Log in" button results in a "Check your inbox and click the link in the email that we just sent you" page.

Source: https://appear.in/ used this flow from the very beginning, before it was destroyed in a trademark dispute. EDIT: now it is https://whereby.com/user/login

That would make things waaaay more difficult for users. "Okay, I'm logged in, let me do something.... Now it says I don't have permission?? Did my account get deactivated??? What am I doing wrong????"

Hah, I did this ages ago in notebook application that I wrote for myself..

Though the amount of times I went a long time between logging in, got the wrong credentials and got scared very quickly when all of my notes had vanished :P