We can use the TwoFactorMethodsInfo object/entity to query the users who haven’t verified their email addresses yet in Salesforce.
Admins or Users need the “Manage Multi-Factor Authentication in API” permission at Profile or Permission Set level to query or use SOQL against the TwoFactorMethodsInfo object/entity.
SOQL:
SELECT Id, UserId, User.Name,
ExternalId, HasUserVerifiedEmailAddress
FROM TwoFactorMethodsInfo
WHERE HasUserVerifiedEmailAddress = false
HasUserVerifiedEmailAddress field is not editable.