Wt::Auth. Logging for users without confirmed email should be optional.
Now there is no regular ability to deny users logging with unconfirmed email.
Moreover right after registration the user is automatically logged in.
I know not so many web sites which allow logging with unconfirmed email.
I think some wt_config.xml property or some policy managing function needed in next releases to manage the login behaviour in case of unconfirmed email (taking into account the cases right after registration and password updating).
Related issue discussion:
Related topic in help: