Let me explain how I do this, as I have never used a recipe for that.
Let's say that I have a user that has successfully logged in and they have limited access to their account. As a new user, I don't offer them the ability to change their password until they prove that they are who they say they are (Authenticate their account).
I have added a show region for the change password function only if the account has been authenticated. I have a query that looks at the logged in user account to see if the validated field has a '0' or a '1'. IF '0' the user is encouraged to validate their account. IF '1' then the user has the ability to change their password.
The process that I have in place to do the validation of the account is to create an email message with a link to a validate_account.php page that also includes some additional information that I pass in the link.
I send a user ID along with a session ID in that link. This is done by creating the link exactly like a GET would. Once the link hits the server, I then take those bits of information and I compare them to what is stored in the account record. I also match the IP address from the form submission to the validation process. If all of them match, I update the user account to indicate that the validation has been found to be true.
It works well.