No, you're right. You're not doing anything wrong. The basic client login module doesn't immediately perform an authentication, but just caches the username and password to be sent to the server when you make a call.
Why is it a problem getting a remote exception - if you make the remote call in your login method and get an exception then you let the user know that it failed and get them to retry?
Or you could make your remote method throw a user custom user exception and throw this from the remote method.
Alternatively you could use something like the SRP login module uses a proper authentication protocol with the server during login.