Yeah, that's what I was thinking could also be a good idea... Creating a new operation type that could immediately lock down an account if signed with the signature of any recent password, and thus also initiating the normal account recovery process.