diff --git a/auth/process/state.go b/auth/process/state.go
index cb80db9..0b5e9e8 100644
--- a/auth/process/state.go
+++ b/auth/process/state.go
@@ -12,17 +12,15 @@ const (
 	// StateBasic defines the "username and password with no OTP" user state
 	// This is skipped if OTP/passkey is optional and not enabled for the user
 	StateBasic
-	// StateExtended defines the "logged in" user state
-	StateExtended
+	// StateAuthenticated defines the "logged in" user state
+	StateAuthenticated
 	// StateSudo defines the "sudo" user state
 	// This state is temporary and has a configurable duration
 	StateSudo
 )
 
-func (s State) IsValid() bool {
-	return s <= StateSudo
-}
+func (s State) IsValid() bool { return s <= StateSudo }
 
-func (s State) IsLoggedIn() bool { return s >= StateExtended }
+func (s State) IsLoggedIn() bool { return s >= StateAuthenticated }
 
 func (s State) IsSudoAvailable() bool { return s == StateSudo }
diff --git a/auth/providers/oauth.go b/auth/providers/oauth.go
index 7240770..3aabd32 100644
--- a/auth/providers/oauth.go
+++ b/auth/providers/oauth.go
@@ -175,7 +175,7 @@ func (o OAuthLogin) updateExternalUserInfo(req *http.Request, sso *issuer.WellKn
 		})
 		return auth.UserAuth{
 			Subject:  userSubject,
-			Factor:   process.StateExtended,
+			Factor:   process.StateBasic, // TODO: should the user be allowed to skip otp via oauth?
 			UserInfo: sessionData.UserInfo,
 		}, err
 	case errors.Is(err, sql.ErrNoRows):
@@ -231,7 +231,7 @@ func (o OAuthLogin) updateExternalUserInfo(req *http.Request, sso *issuer.WellKn
 	// TODO(melon): this feels bad
 	sessionData = auth.UserAuth{
 		Subject:  userSubject,
-		Factor:   process.StateExtended,
+		Factor:   process.StateAuthenticated, // TODO: should the user be allowed to skip otp via oauth?
 		UserInfo: sessionData.UserInfo,
 	}
 
@@ -296,7 +296,7 @@ func (o OAuthLogin) fetchUserInfo(sso *issuer.WellKnownOIDC, token *oauth2.Token
 
 	return auth.UserAuth{
 		Subject:  subject,
-		Factor:   process.StateExtended,
+		Factor:   process.StateBasic, // TODO: should the user be allowed to skip otp via oauth?
 		UserInfo: userInfoJson,
 	}, nil
 }
diff --git a/server/auth_test.go b/server/auth_test.go
index baa20e6..50796b0 100644
--- a/server/auth_test.go
+++ b/server/auth_test.go
@@ -19,7 +19,7 @@ func TestUserAuth_NextFlowUrl(t *testing.T) {
 	assert.Equal(t, url.URL{Path: "/login"}, *u.NextFlowUrl(&url.URL{}))
 	assert.Equal(t, url.URL{Path: "/login", RawQuery: url.Values{"redirect": {"/hello"}}.Encode()}, *u.NextFlowUrl(&url.URL{Path: "/hello"}))
 	assert.Equal(t, url.URL{Path: "/login", RawQuery: url.Values{"redirect": {"/hello?a=A"}}.Encode()}, *u.NextFlowUrl(&url.URL{Path: "/hello", RawQuery: url.Values{"a": {"A"}}.Encode()}))
-	u.Factor = process.StateExtended
+	u.Factor = process.StateAuthenticated
 	assert.Nil(t, u.NextFlowUrl(&url.URL{}))
 }