diff --git a/subsys/bluetooth/host/keys.h b/subsys/bluetooth/host/keys.h
index 90dcbe8c941..3eb78a68b1e 100644
--- a/subsys/bluetooth/host/keys.h
+++ b/subsys/bluetooth/host/keys.h
@@ -30,6 +30,7 @@ enum {
 	BT_KEYS_DEBUG           = BIT(1),
 	/* Bit 2 and 3 might accidentally exist in old stored keys */
 	BT_KEYS_SC              = BIT(4),
+	BT_KEYS_OOB             = BIT(5),
 };
 
 struct bt_ltk {
diff --git a/subsys/bluetooth/host/smp.c b/subsys/bluetooth/host/smp.c
index ff5d7659ad8..1a0d7393a64 100644
--- a/subsys/bluetooth/host/smp.c
+++ b/subsys/bluetooth/host/smp.c
@@ -5803,16 +5803,19 @@ void bt_smp_update_keys(struct bt_conn *conn)
 	 * security level upon encryption
 	 */
 	switch (smp->method) {
+	case LE_SC_OOB:
+	case LEGACY_OOB:
+		conn->le.keys->flags |= BT_KEYS_OOB;
+		/* fallthrough */
 	case PASSKEY_DISPLAY:
 	case PASSKEY_INPUT:
 	case PASSKEY_CONFIRM:
-	case LE_SC_OOB:
-	case LEGACY_OOB:
 		conn->le.keys->flags |= BT_KEYS_AUTHENTICATED;
 		break;
 	case JUST_WORKS:
 	default:
 		/* unauthenticated key, clear it */
+		conn->le.keys->flags &= ~BT_KEYS_OOB;
 		conn->le.keys->flags &= ~BT_KEYS_AUTHENTICATED;
 		break;
 	}