So you click the button, and it has your username and/or email already known, so it knows that email address is validly tied to that account.

So they send you off an email, knowing that only the right user will be able to receive it, and they give you a one-time password to use to get back into your account.

In the backend, when you type in that one-time code, it now knows you are the correct user, so it lets you reset your password, and the new password overwrites the old one.

Basically, they’ve just authenticated you via email, rather than by password directly.