Both of these, plus a differentiator between 'current' and 'new' token requests - without that, it's an easy way to log people out of sites by simply knowing their email address. To the point about not always having access to email, it's a pretty simple denial of service vector.
Can you clarify, what you mean by "differentiator between current and new token requests"? Currently I don't exactly know which attack form you mean and how it could be prevented by such a "differentiator".
