I think you covered most of what you will need to make this page work. You will have the form on this page, the form should post to this same page. You will then have a recordset that is filtered on the posted values from this form.
If the recordset is not empty then you can send them to the email password page. If you would like it so the user cannot get to the email password page by just going there directly then you would need to make an extra check, you can set a session variable on the verify page after you check for the recordset being empty and before you send the user to the email password page. You would then have a check at the top of the email password page for the user_verified session variable you created. If the variable is not set or does not have a value then you would redirect them back to the verify page.
If you had it like this the user would be required to fill out the verify form before they can continue to the email password page.