My problem is that I can login prior to the verification URL being clicked, but as I was writing up this report, I realized how you are preventing the login, and why it doesn't work on my site.
I use the "email login" plugin, which allows users to login using their email address, and since you don't modify the email address in the database, but only muck with the username, users can still login.
Any ideas if that can be fixed? Can the email address be munged with a unverified_ prefix like the username *after* the verification email is sent out? I don't know what the code flow looks like and if your plugin has control after the email is sent out.
I'll report a bug for the "email login" author and see if he has any ideas. Maybe his plugin could check to see if the username is prefixed with "unverified_" or something like that?