X is warning users to re-enroll their hardware security keys or passkeys before 10 November, or risk being locked out of their accounts.
In a series of posts on the platform, X said the change affects only users who use hardware-based security keys, such as YubiKeys, or passkeys, both considered among the most secure forms of two-factor authentication (2FA).
“By November 10, we’re asking all accounts that use a security key as their two factor authentication (2FA) method to re-enroll their key to continue accessing X. You can re-enroll your existing security key, or enroll a new one,” the company said.
It added a warning for those planning to make changes: “A reminder: if you enroll a new security key, any other security keys will stop working (unless also re-enrolled).”
X emphasized that the move is not linked to any security incident, but rather part of the company’s migration from twitter.com to x.com. Because security keys and passkeys are cryptographically tied to a specific domain, the upcoming domain change will invalidate existing credentials still associated with twitter.com.
Once the migration takes effect, any account that hasn’t re-enrolled will be locked until users take one of three actions:
- Re-enroll an existing or new security key or passkey
- Switch to another 2FA method, such as an authenticator app
- Disable 2FA entirely, a step X “strongly discourages”
To update credentials, users must visit x.com/settings/account/login_verification/security_keys, remove their existing security keys, and re-enroll them. The process requires users to enter their account password to confirm their identity.
After completing the re-enrollment, the new keys and passkeys will be bound to x.com and will remain valid once the twitter.com domain is fully retired.
Jamie Akhtar, CEO and Co-founder at CyberSmart, says this announcement marks a significant shift in the platform’s security posture.
“Users relying on hardware security keys tied to the old Twitter domain must re-enroll their keys or risk being locked out of their accounts. This change is a proactive measure to reduce vulnerability to domain-spoofing and legacy infrastructure weaknesses, reflecting how high-profile platforms must evolve their authentication frameworks in response to rising cyber threats.”
He says for individuals and organizations, this is a good reminder of the basics of account security.
“First, if you use X/Twitter and rely on security keys for 2FA, enrol your keys now and ensure you have backup keys in case one is lost or fails. Second, even if you don’t use a hardware key, you should ensure your account has 2FA enabled via an authenticator app rather than SMS, since hardware keys or apps provide stronger defense against phishing. Third, regularly review authorized devices and account recovery options, and treat changes like this as trusted platform prompts rather than potential phishing lures.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.