In the filter tab of the UI you should be filtering the username column with the value from the form... and you shouldn't have a recordset on the page at all.
You have a recordset returning the user information and then you are logging in with the field from that recordset, which of course is always valid since it is coming from the database directly.
Delete the recordset from the page.
Update the Authenticate Server behavior and on the filter tab filter the authenticate based on both the username and password columns, getting their values from the submitted form.