First off, self-service password resets are considered questionable security (ask Bruce Schneier if you don’t believe me:
https://www.schneier.com/essays/archives/2005/02/the_curse_of_the_sec.html
) because they lower the total security. If it’s easy for the user to remember the answers to the three questions even though he’s prone to forget the password, then it’s that much easier for an attacker to find out that information and break into the user’s account through “password recovery”.
Sure, in your proposal, it’ll result in the user’s password getting changed, which he should notice - but the very premise was that the user is likely to have forgotten the original one, anyway …
Having that said: If there is to be a password reset method, I’d say that it should be implemented in the Portable Authentication Modules (PAM); unfortunately, my PAM-fu is not up to the task of saying whether it can be done with only configuration, or requires writing a new module.
PAM is what forces users with an expired password (see shadow(5) manpage, in particular, 3rd and 5th field of /etc/shadow lines) to set a new one, the result being that it works equally when logging in to a text console, doing a remote login via SSH, and presumably others (maybe even SDDM?) as well. (I have to admit that the SSH route insists on throwing you out and requiring a second try at logging in after having set a new password, though.)
The job of SDDM (and other login interfaces) then wouldn’t be to implement the entire process itself, but merely to understand and display the format of that PAM module’s user-ward I/O.