diff --git a/subsys/bluetooth/host/conn.c b/subsys/bluetooth/host/conn.c
index 38858289d74..7aaee90e166 100644
--- a/subsys/bluetooth/host/conn.c
+++ b/subsys/bluetooth/host/conn.c
@@ -1071,11 +1071,26 @@ uint8_t bt_conn_enc_key_size(struct bt_conn *conn)
 	return 0;
 }
 
+static void reset_pairing(struct bt_conn *conn)
+{
+#if defined(CONFIG_BT_BREDR)
+	if (conn->type == BT_CONN_TYPE_BR) {
+		atomic_clear_bit(conn->flags, BT_CONN_BR_PAIRING);
+		atomic_clear_bit(conn->flags, BT_CONN_BR_PAIRING_INITIATOR);
+		atomic_clear_bit(conn->flags, BT_CONN_BR_LEGACY_SECURE);
+	}
+#endif /* CONFIG_BT_BREDR */
+
+	/* Reset required security level to current operational */
+	conn->required_sec_level = conn->sec_level;
+}
+
 void bt_conn_security_changed(struct bt_conn *conn, uint8_t hci_err,
 			      enum bt_security_err err)
 {
 	struct bt_conn_cb *cb;
 
+	reset_pairing(conn);
 	bt_l2cap_security_changed(conn, hci_err);
 
 	for (cb = callback_list; cb; cb = cb->_next) {
diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c
index 14042fd9cbd..00d9722dfac 100644
--- a/subsys/bluetooth/host/hci_core.c
+++ b/subsys/bluetooth/host/hci_core.c
@@ -2714,20 +2714,6 @@ static enum bt_security_err security_err_get(uint8_t hci_err)
 		return BT_SECURITY_ERR_UNSPECIFIED;
 	}
 }
-
-static void reset_pairing(struct bt_conn *conn)
-{
-#if defined(CONFIG_BT_BREDR)
-	if (conn->type == BT_CONN_TYPE_BR) {
-		atomic_clear_bit(conn->flags, BT_CONN_BR_PAIRING);
-		atomic_clear_bit(conn->flags, BT_CONN_BR_PAIRING_INITIATOR);
-		atomic_clear_bit(conn->flags, BT_CONN_BR_LEGACY_SECURE);
-	}
-#endif /* CONFIG_BT_BREDR */
-
-	/* Reset required security level to current operational */
-	conn->required_sec_level = conn->sec_level;
-}
 #endif /* defined(CONFIG_BT_SMP) || defined(CONFIG_BT_BREDR) */
 
 #if defined(CONFIG_BT_BREDR)
@@ -3693,15 +3679,12 @@ static void auth_complete(struct net_buf *buf)
 	}
 
 	if (evt->status) {
-		if (conn->state == BT_CONN_CONNECTED) {
-			/*
-			 * Inform layers above HCI about non-zero authentication
-			 * status to make them able cleanup pending jobs.
-			 */
-			bt_conn_security_changed(conn, evt->status,
-						 security_err_get(evt->status));
-		}
-		reset_pairing(conn);
+		/*
+		 * Inform layers above HCI about non-zero authentication
+		 * status to make them able cleanup pending jobs.
+		 */
+		bt_conn_security_changed(conn, evt->status,
+					 security_err_get(evt->status));
 	} else {
 		link_encr(handle);
 	}
@@ -4147,7 +4130,6 @@ static void hci_encrypt_change(struct net_buf *buf)
 	}
 
 	if (evt->status) {
-		reset_pairing(conn);
 		bt_conn_security_changed(conn, evt->status,
 					 security_err_get(evt->status));
 		bt_conn_unref(conn);
@@ -4191,7 +4173,6 @@ static void hci_encrypt_change(struct net_buf *buf)
 		}
 	}
 #endif /* CONFIG_BT_BREDR */
-	reset_pairing(conn);
 
 	bt_conn_security_changed(conn, evt->status, BT_SECURITY_ERR_SUCCESS);
 
@@ -4215,7 +4196,6 @@ static void hci_encrypt_key_refresh_complete(struct net_buf *buf)
 	}
 
 	if (evt->status) {
-		reset_pairing(conn);
 		bt_conn_security_changed(conn, evt->status,
 					 security_err_get(evt->status));
 		bt_conn_unref(conn);
@@ -4243,7 +4223,6 @@ static void hci_encrypt_key_refresh_complete(struct net_buf *buf)
 	}
 #endif /* CONFIG_BT_BREDR */
 
-	reset_pairing(conn);
 	bt_conn_security_changed(conn, evt->status, BT_SECURITY_ERR_SUCCESS);
 	bt_conn_unref(conn);
 }