diff --git a/internal/api/grpc/session/v2/integration_test/session_test.go b/internal/api/grpc/session/v2/integration_test/session_test.go
index 245388155b2..6d11fdd3f40 100644
--- a/internal/api/grpc/session/v2/integration_test/session_test.go
+++ b/internal/api/grpc/session/v2/integration_test/session_test.go
@@ -969,11 +969,22 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
 
 func Test_ZITADEL_API_missing_mfa(t *testing.T) {
 	mfaUser := createFullUser(CTX)
-	registerTOTP(CTX, t, mfaUser.GetUserId())
+
+	// make sure the session works even with a not fully set up MFA factor
+	_, err := Instance.Client.UserV2.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
+		UserId: mfaUser.GetUserId(),
+	})
+	require.NoError(t, err)
 	id, token, _, _ := Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
 	ctx := integration.WithAuthorizationToken(context.Background(), token)
-
 	sessionResp, err := Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
+	require.NoError(t, err)
+
+	// now fully set up MFA and make sure the session is rejected without MFA
+	registerTOTP(CTX, t, mfaUser.GetUserId())
+	id, token, _, _ = Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
+	ctx = integration.WithAuthorizationToken(context.Background(), token)
+	sessionResp, err = Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
 	require.Error(t, err)
 	require.Nil(t, sessionResp)
 }
diff --git a/internal/query/user_auth_method_types_required.sql b/internal/query/user_auth_method_types_required.sql
index 3c24b39fc9e..058c1abc138 100644
--- a/internal/query/user_auth_method_types_required.sql
+++ b/internal/query/user_auth_method_types_required.sql
@@ -19,6 +19,7 @@ LEFT JOIN LATERAL (
     WHERE
         projections.user_auth_methods5.user_id = projections.users14.id
         AND projections.user_auth_methods5.instance_id = projections.users14.instance_id
+        AND projections.user_auth_methods5.state = 2
     ) AS user_auth_methods5 ON TRUE
 WHERE
     projections.users14.id = $1