diff --git a/apps/login/readme.md b/apps/login/readme.md
index f206fbf482..a411b9963f 100644
--- a/apps/login/readme.md
+++ b/apps/login/readme.md
@@ -396,3 +396,5 @@ Timebased features like the multifactor init prompt or password expiry, are not
 - Login Settings: multifactor init prompt
 - forceMFA on login settings is not checked for IDPs
 - disablePhone / disableEmail from loginSettings will be implemented right after https://github.com/zitadel/zitadel/issues/9016 is merged
+
+Also note that IDP logins are considered as valid MFA. An additional MFA check will be implemented in future if enforced.
diff --git a/apps/login/src/app/login/route.ts b/apps/login/src/app/login/route.ts
index f20009bee1..bbeda736a9 100644
--- a/apps/login/src/app/login/route.ts
+++ b/apps/login/src/app/login/route.ts
@@ -211,7 +211,8 @@ export async function GET(request: NextRequest) {
       console.log("Session is valid:", isValid);
 
       if (!isValid && selectedSession.factors?.user) {
-        // if the session is not valid anymore, we need to redirect the user to re-authenticate
+        // if the session is not valid anymore, we need to redirect the user to re-authenticate /
+        // TODO: handle IDP intent direcly if available
         const command: SendLoginnameCommand = {
           loginName: selectedSession.factors.user?.loginName,
           organization: selectedSession.factors?.user?.organizationId,