If you are requiring that a user enter the password on the registration page, they get added in to the pre_authenticated role, and they get an email with the validation link.
If the user follows the link in the email all is cool and they get logged in and removed from the pre auth role.
However, if the user uses the 'reset password' form, they get send a one-time login link by user.module. When they click on the link, they are logged in to their account and they can change their password etc. But, they are not removed from the pre authenticated role, even though they have effectively just verified their email by clicking the login link that was sent to them by user.module.