X Warns Users With Security Keys to Re-Enroll Before November 10 to Avoid Lockouts

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
969
4,663
2,168
Germany
Content source
https://thehackernews.com/2025/10/x-warns-users-with-security-keys-to-re.html
Social media platform X is urging users who have enrolled for two-factor authentication (2FA) using passkeys and hardware security keys like Yubikeys to re-enroll their key to ensure continued access to the service.
To that end, users are being asked to complete the re-enrollment, either using their existing security key or enrolling a new one, by November 10, 2025.
"After November 10, if you haven't re-enrolled a security key, your account will be locked until you: re-enroll; choose a different 2FA method; or elect not to use 2FA (but we always recommend you use 2FA to protect your account!)," the company's Safety handle wrote in a post on X.
The move is part of the company's efforts to formally retire the twitter[.]com domain. Twitter, which was acquired by SpaceX and Tesla CEO Elon Musk in October 2022, was rebranded to X in July 2023.
In a follow-up post, X noted that the change does not apply to users who have enrolled for 2FA using other methods, such as authenticator apps.
"Security keys enrolled as a 2FA method are currently tied to the twitter[.]com domain," it added. "Re-enrolling your security key will associate them with x[.]com, allowing us to retire the Twitter domain."
X also supports 2FA using text messages, but the option is limited to non-Premium subscribers as of March 20, 2023. To enroll for 2FA, users can follow the steps below -
  • Navigate to Settings and privacy > Security and account access > Security > Two-factor authentication
  • Select Security key > Manage security keys > Delete existing keys
  • Select the Security key option > Enter X password > Enter confirmation code sent via email
  • Click Start > Insert key into the computer's USB port or connect via Bluetooth/NFC > Once inserted, touch the button on the key
  • Follow the on-screen instructions to finish setup
Click to expand...
 
Last edited by a moderator:
  • Like
Reactions: Khushal, SeriousHoax and Parkinsond
Brownie2019 said:
Social media platform X is urging users who have enrolled for two-factor authentication (2FA) using passkeys and hardware security keys like Yubikeys to re-enroll their key to ensure continued access to the service.
To that end, users are being asked to complete the re-enrollment, either using their existing security key or enrolling a new one, by November 10, 2025.
"After November 10, if you haven't re-enrolled a security key, your account will be locked until you: re-enroll; choose a different 2FA method; or elect not to use 2FA (but we always recommend you use 2FA to protect your account!)," the company's Safety handle wrote in a post on X.
The move is part of the company's efforts to formally retire the twitter[.]com domain. Twitter, which was acquired by SpaceX and Tesla CEO Elon Musk in October 2022, was rebranded to X in July 2023.
In a follow-up post, X noted that the change does not apply to users who have enrolled for 2FA using other methods, such as authenticator apps.
"Security keys enrolled as a 2FA method are currently tied to the twitter[.]com domain," it added. "Re-enrolling your security key will associate them with x[.]com, allowing us to retire the Twitter domain."
X also supports 2FA using text messages, but the option is limited to non-Premium subscribers as of March 20, 2023. To enroll for 2FA, users can follow the steps below -
  • Navigate to Settings and privacy > Security and account access > Security > Two-factor authentication
  • Select Security key > Manage security keys > Delete existing keys
  • Select the Security key option > Enter X password > Enter confirmation code sent via email
  • Click Start > Insert key into the computer's USB port or connect via Bluetooth/NFC > Once inserted, touch the button on the key
  • Follow the on-screen instructions to finish setup
Click to expand...
Thanks for sharing this update, Brownie2019. It's a good reminder of how platform changes like domain migrations can impact security features—definitely worth acting on if you're using a hardware key for 2FA on X.

For anyone affected, I'd echo the advice to re-enroll by November 10 to avoid any lockouts. Security keys like YubiKeys are one of the strongest 2FA options out there (resistant to phishing and man-in-the-middle attacks), so sticking with them is smart if you can. Just make sure you're following the official steps from X's help page to avoid any phishing risks—always verify the URL before clicking.

If you're new to this or considering alternatives, authenticator apps (like Google Authenticator or Authy) are a solid backup method that won't be impacted here. And yeah, as X says, enabling some form of 2FA is always better than none for protecting your account.
 
Bot said:
Thanks for sharing this update, Brownie2019. It's a good reminder of how platform changes like domain migrations can impact security features—definitely worth acting on if you're using a hardware key for 2FA on X.

For anyone affected, I'd echo the advice to re-enroll by November 10 to avoid any lockouts. Security keys like YubiKeys are one of the strongest 2FA options out there (resistant to phishing and man-in-the-middle attacks), so sticking with them is smart if you can. Just make sure you're following the official steps from X's help page to avoid any phishing risks—always verify the URL before clicking.

If you're new to this or considering alternatives, authenticator apps (like Google Authenticator or Authy) are a solid backup method that won't be impacted here. And yeah, as X says, enabling some form of 2FA is always better than none for protecting your account.
Click to expand...
@Bot so why is X doing this re 2FA, to better track & gather data on its users? To me this seems like an odd request without any further explanation or did I miss the explanation :unsure:
 
  • Applause
Reactions: Trident and Parkinsond
simmerskool said:
@Bot so why is X doing this re 2FA, to better track & gather data on its users? To me this seems like an odd request without any further explanation or did I miss the explanation :unsure:
Click to expand...
Hey simmerskool,

Nah, it's not about tracking or gathering more data on users—at least not based on what X has officially stated. From their announcement (which was linked in the OP), it's pretty straightforward: The security keys enrolled for 2FA are currently tied to the old twitter[.]com domain. Since they're fully retiring that domain as part of the rebrand to X (which started back in 2023), they need users to re-enroll so the keys get associated with x[.]com instead. That way, everything keeps working smoothly without breaking access.

It's a technical migration thing, essentially, to avoid compatibility issues down the line. They did explain it in that follow-up post: "Security keys enrolled as a 2FA method are currently tied to the twitter[.]com domain. Re-enrolling your security key will associate them with x[.]com, allowing us to retire the Twitter domain."

If it feels odd, I get it—any change to security setups can raise eyebrows, especially with how X has handled things under Musk. But this seems legit and tied to the domain shift. Just to be safe, I'd recommend only following the official links from X's verified accounts or help pages, and maybe back up your 2FA setup (e.g., with an authenticator app as a secondary method) in case anything goes sideways.

If you've got more details or something I missed, feel free to share! 😊
 
  • Like
Reactions: Parkinsond, SeriousHoax and simmerskool
Bot said:
The security keys enrolled for 2FA are currently tied to the old twitter[.]com domain. Since they're fully retiring that domain as part of the rebrand to X (which started back in 2023), they need users to re-enroll so the keys get associated with x[.]com instead. That way, everything keeps working smoothly without breaking access.
😊
Click to expand...
ok that makes sense, thanks
 
  • Like
Reactions: Trident
I must say x.com's passkey 2FA implementation on the PC Firefox browser is “wacky”. The last time I tried:
  • It didn't allow a hardware security key; only Windows Hello was permitted.
  • Once I registered a PC, logging into the account on the browser from another machine requires the passkey previously registered on the original machine, with no alternative login methods available.
  • This effectively locks out logins from other machines beyond the one originally registered.
  • If you no longer have the machine (without deleting the passkey 2FA first), your X account is essentially locked out.
  • I shouldn't complain about it, since I use the account in read-only mode, but this is a terrible implementation.
 
  • Like
Reactions: Parkinsond and simmerskool
You must log in or register to reply here.

You may also like...