We can use the TwoFactorMethodsInfo object/entity to query the users who haven’t verified their email addresses yet in Salesforce.

Admins or Users need the “Manage Multi-Factor Authentication in API” permission at Profile or Permission Set level to query or use SOQL against the TwoFactorMethodsInfo object/entity.

SOQL:

SELECT Id, UserId, User.Name,
ExternalId, HasUserVerifiedEmailAddress
FROM TwoFactorMethodsInfo
WHERE HasUserVerifiedEmailAddress = false

HasUserVerifiedEmailAddress field is not editable.