diff --git a/apps/login/lib/zitadel.ts b/apps/login/lib/zitadel.ts
index ad5d92d85e3..ef8ea65229a 100644
--- a/apps/login/lib/zitadel.ts
+++ b/apps/login/lib/zitadel.ts
@@ -190,10 +190,8 @@ export async function setSession(
   server: ZitadelServer,
   sessionId: string,
   sessionToken: string,
-  password: string | undefined,
-  totpCode: string | undefined,
-  webAuthN: { credentialAssertionData: any } | undefined,
-  challenges: RequestChallenges | undefined
+  challenges: RequestChallenges | undefined,
+  checks: Checks
 ): Promise<SetSessionResponse | undefined> {
   const sessionService = session.getSession(server);
 
@@ -205,16 +203,8 @@ export async function setSession(
     metadata: {},
   };
 
-  if (password && payload.checks) {
-    payload.checks.password = { password };
-  }
-
-  if (totpCode && payload.checks) {
-    payload.checks.totp = { code: totpCode };
-  }
-
-  if (webAuthN && payload.checks) {
-    payload.checks.webAuthN = webAuthN;
+  if (checks && payload.checks) {
+    payload.checks = checks;
   }
 
   return sessionService.setSession(payload, {});
diff --git a/apps/login/ui/PasswordForm.tsx b/apps/login/ui/PasswordForm.tsx
index 8f3a077a49f..1d37d9d0a4a 100644
--- a/apps/login/ui/PasswordForm.tsx
+++ b/apps/login/ui/PasswordForm.tsx
@@ -69,7 +69,27 @@ export default function PasswordForm({
 
   function submitPasswordAndContinue(value: Inputs): Promise<boolean | void> {
     return submitPassword(value).then((resp: any) => {
-      if (
+      // if user has mfa -> /totp
+      // if mfa is forced -> /mfa/set
+      // if no passwordless -> /passkey/add
+      if (resp.authFactors?.length >= 1) {
+        const params = new URLSearchParams(
+          authRequestId
+            ? {
+                loginName: resp.factors.user.loginName,
+                authRequestId,
+              }
+            : {
+                loginName: resp.factors.user.loginName,
+              }
+        );
+
+        if (organization) {
+          params.append("organization", organization);
+        }
+
+        return router.push(`/mfa/set?` + params);
+      } else if (
         resp.factors &&
         !resp.factors.passwordless && // if session was not verified with a passkey
         promptPasswordless && // if explicitly prompted due policy
@@ -85,67 +105,35 @@ export default function PasswordForm({
         }
 
         return router.push(`/passkey/add?` + params);
+      } else if (authRequestId && resp && resp.sessionId) {
+        const params = new URLSearchParams({
+          sessionId: resp.sessionId,
+          authRequest: authRequestId,
+        });
+
+        if (organization) {
+          params.append("organization", organization);
+        }
+
+        return router.push(`/login?` + params);
       } else {
-        let continueWithMfa = undefined;
-        if (
-          loginSettings?.forceMfa &&
-          resp.authFactors?.length >= 1 // TODO if forceMFA is set and no user methods prompt to add method (/mfa/add)
-        ) {
-          if (loginSettings.secondFactors?.length === 1) {
-            continueWithMfa = loginSettings.secondFactors[0];
-          } else {
-            // continueWithMfa = loginSettings.secondFactors[0];
-            // render selection page for mfa (/mfa/select)
-          }
-        } else if (loginSettings?.forceMfa && resp.authFactors?.length === 0) {
-          const params = new URLSearchParams(
-            authRequestId
-              ? {
-                  loginName: resp.factors.user.loginName,
-                  authRequestId,
-                }
-              : {
-                  loginName: resp.factors.user.loginName,
-                }
-          );
+        // without OIDC flow
+        const params = new URLSearchParams(
+          authRequestId
+            ? {
+                loginName: resp.factors.user.loginName,
+                authRequestId,
+              }
+            : {
+                loginName: resp.factors.user.loginName,
+              }
+        );
 
-          if (organization) {
-            params.append("organization", organization);
-          }
-
-          return router.push(`/mfa/set?` + params);
+        if (organization) {
+          params.append("organization", organization);
         }
-        // OIDC flows
-        if (authRequestId && resp && resp.sessionId) {
-          const params = new URLSearchParams({
-            sessionId: resp.sessionId,
-            authRequest: authRequestId,
-          });
 
-          if (organization) {
-            params.append("organization", organization);
-          }
-
-          return router.push(`/login?` + params);
-        } else {
-          // without OIDC flow
-          const params = new URLSearchParams(
-            authRequestId
-              ? {
-                  loginName: resp.factors.user.loginName,
-                  authRequestId,
-                }
-              : {
-                  loginName: resp.factors.user.loginName,
-                }
-          );
-
-          if (organization) {
-            params.append("organization", organization);
-          }
-
-          return router.push(`/signedin?` + params);
-        }
+        return router.push(`/signedin?` + params);
       }
     });
   }
diff --git a/apps/login/utils/session.ts b/apps/login/utils/session.ts
index 76023f7c43c..5335ea62c8a 100644
--- a/apps/login/utils/session.ts
+++ b/apps/login/utils/session.ts
@@ -12,7 +12,12 @@ import {
   addSessionToCookie,
   updateSessionCookie,
 } from "./cookies";
-import { Session, Challenges, RequestChallenges } from "@zitadel/server";
+import {
+  Session,
+  Challenges,
+  RequestChallenges,
+  Checks,
+} from "@zitadel/server";
 
 export async function createSessionAndUpdateCookie(
   loginName: string,
@@ -189,14 +194,24 @@ export async function setSessionAndUpdateCookie(
   totpCode: string | undefined,
   authRequestId: string | undefined
 ): Promise<SessionWithChallenges> {
+  const checks: Checks = {};
+
+  if (password) {
+    checks.password = { password };
+  }
+  if (webAuthN) {
+    checks.webAuthN = webAuthN;
+  }
+  if (totpCode) {
+    checks.totp = { code: totpCode };
+  }
+
   return setSession(
     server,
     recentCookie.id,
     recentCookie.token,
-    password,
-    totpCode,
-    webAuthN,
-    challenges
+    challenges,
+    checks
   ).then((updatedSession) => {
     if (updatedSession) {
       const sessionCookie: SessionCookie = {