I would consider changing the logic, so PasswordState only relies on the sAMAccountName field from AD to match / create a new user-account. Surname and FirstName should be handled independently, as not all organizations base their sAMAccountName on these fields.
At our organization when a person gets married (or divorced) they can request a Surname change, but we don't generate a new sAMAccountName we simply update the Surname field. Same occurs if a person has a change in gender and their FirstName changes.
I understand the importance of UserID and totally agree with the implications of changing it, but this should be tied to the sAMAccountName field only (not the name fields).
Hopefully you agree and will consider allowing automatic updates of FirstName and Surname in a future release.
Thanks...Scott