diff --git a/internal/controller/user_controller.go b/internal/controller/user_controller.go
index 3d5b2215..c1c5e1b6 100644
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -329,6 +329,28 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 	tlog.App.Info().Str("username", context.GetUsername()).Msg("TOTP verification successful")
 	tlog.AuditLoginSuccess(c, context.GetUsername(), "totp")
 
+	uuid, err := c.Cookie(controller.config.SessionCookieName)
+
+	if err != nil {
+		tlog.App.Error().Err(err).Msg("Failed to retrieve session cookie in TOTP handler")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	_, err = controller.auth.DeleteSession(c, uuid)
+
+	if err != nil {
+		tlog.App.Error().Err(err).Msg("Failed to delete pending TOTP session")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
 	controller.auth.RecordLoginAttempt(context.GetUsername(), true)
 
 	sessionCookie := repository.Session{
diff --git a/internal/service/oauth_extractors.go b/internal/service/oauth_extractors.go
index 96e2a034..821a02ca 100644
--- a/internal/service/oauth_extractors.go
+++ b/internal/service/oauth_extractors.go
@@ -27,7 +27,7 @@ func defaultExtractor(client *http.Client, url string) (*model.Claims, error) {
 	return simpleReq[model.Claims](client, url, nil)
 }
 
-func githubExtractor(client *http.Client, url string) (*model.Claims, error) {
+func githubExtractor(client *http.Client, _ string) (*model.Claims, error) {
 	var user model.Claims
 
 	userInfo, err := simpleReq[GithubUserInfoResponse](client, "https://api.github.com/user", map[string]string{
@@ -49,7 +49,7 @@ func githubExtractor(client *http.Client, url string) (*model.Claims, error) {
 	}
 
 	for _, email := range *userEmails {
-		if email.Primary {
+		if email.Primary && email.Verified {
 			user.Email = email.Email
 			break
 		}