Password reset: Can you lock out a user who cannot access his/her mailbox?

I tried the password reset for testing and received the email “Someone has asked to reset the password for the following site and username” etc.. Without using this “Temporary Password”, however, I tried then to log in with the previous password (before the reset) – refused.
Does this mean that in order to lock out any user it is sufficient to know (or guess) the email address and then reset the password? Of course, in most cases the locked-out user can then after every reset again go to the profile and change back the password to the old one, but in some cases I cannot access my emails.
I would have assumed that the temporary password would be valid for a limited time additionally to the previous password. Only if the user logs in with the temporary password, it would be made the real password.