X (formerly Twitter) has announced that users who rely on security keys for two-factor authentication (2FA) must re-enroll their keys by November 10, 2025, to keep accessing their accounts. The company says the change is necessary as it completes the move from twitter.com to x.com, a process that affects how its security system recognises users’ credentials.
In a post from the @Safety account, X said that anyone using a hardware security key or passkey needs to re-enroll it under the new domain. “By November 10, we’re asking all accounts that use a security key as their two-factor authentication (2FA) method to re-enroll their key to continue accessing X,” the post read.
Users can re-enroll the same key or set up a new one, but older keys will stop working if they aren’t re-registered. However, after tweets from users questioning the move, X clarified that this update is not related to any security incident and only affects people using YubiKeys or passkeys, not those using apps like Google Authenticator or SMS-based codes.
The company says the change comes down to how security keys actually work. These devices use a protocol that linking each registered key to a specific web domain. Since X’s login pages are moving from twitter.com to x.com, the credentials registered under the old domain won’t work on the new one. Security keys are built to ignore login requests from domains they weren’t originally registered with, a feature meant to stop phishing attacks.
This means users must create new credentials for x.com. Once they do, their accounts will work as normal. If they don’t re-enroll by November 10, their accounts will be locked until they either re-register the key, switch to another 2FA method, or turn off 2FA completely (though X advises against disabling it).
