In a major security update, X (formerly Twitter) has announced that users who rely on hardware security keys or passkeys for two-factor authentication (2FA) must re-enroll their keys by November 10, 2025, or risk being locked out of their accounts.

If you've secured your account using a YubiKey or similar hardware-based 2FA device, you'll need to act fast. After November 10, your old key will no longer work β€” and X will require you to either re-enroll, switch 2FA methods, or disable it entirely (which is not recommended).

Why This Is Happening

This move is part of X's ongoing rebrand transition from Twitter.com to X.com. Currently, security keys are domain-bound, meaning your key is tied to the old twitter[.]com domain.

To complete the transition and formally retire the old domain, X is requiring users to re-register their keys so they're linked to the new x[.]com domain. Without this update, your device won't recognize X.com as a valid source β€” resulting in login failures.

As X's Safety Team stated:

"Re-enrolling your security key will associate them with x[.]com, allowing us to retire the Twitter domain."

Who Needs to Act

βœ… Required: Users who use security keys or passkeys for 2FA. ❌ Not required: Users who use authenticator apps or SMS for 2FA.

(Though X still encourages everyone to use 2FA β€” any form is better than none.)

How to Re-Enroll Your Security Key

If you fall into the affected group, follow these steps to stay safe and avoid being locked out:

  1. Go to: Settings β†’ Security and account access β†’ Security β†’ Two-factor authentication
  2. Choose Security Key β†’ Manage security keys β†’ Delete existing keys
  3. Re-add your key: Enter password β†’ Confirm via email β†’ Click Start
  4. Insert or connect your key (USB, NFC, or Bluetooth) and touch the key when prompted.

Done! Your key is now tied to the x[.]com domain.

What This Means for the Future of Digital Identity

While this may seem like an inconvenience, it underscores a larger shift: security is becoming more domain-bound, identity-driven, and hardware-enforced.

X's migration reflects the challenge of maintaining authentication integrity during platform transitions. As passkeys, WebAuthn, and hardware keys become more prevalent, tying them to domains or ecosystem identifiers will be increasingly important for protecting user data.

Final Thoughts

This isn't just a technical update β€” it's a test of user awareness in the age of secure, decentralized authentication.

If you rely on a security key to protect your X account, re-enroll it before November 10. A few clicks today could save you from a lockout tomorrow.

X Warns Users With Security Keys: Re-Enroll or Get Locked Out

Re-Enroll Your Security Keys Before November 10

substack.com