X is warning that users must re-enroll their security keys or passkeys for two-factor authentication (2FA) before November 10 or they will be locked out of their accounts until they do so.
In a series of posts on X, the company says this change only affects users who use passkeys or hardware-based security keys, such as YubiKeys.
Both authentication methods provide phishing-resistant protection by verifying a user’s identity using cryptographic keys stored securely on a device or in the operating system, rather than through traditional credentials that can be stolen by infostealing malware and phishing attacks.
“By November 10, we’re asking all accounts that use a security key as their two factor authentication (2FA) method to re-enroll their key to continue accessing X,” X’s official “Safety” account posted last week.
“You can re-enroll your existing security key, or enroll a new one. A reminder: if you enroll a new security key, any other security keys will stop working (unless also re-enrolled).”
“After November 10, if you haven’t re-enrolled a security key, your account will be locked until you: re-enroll; choose a different 2FA method; or elect not to use 2FA (but we always recommend you use 2FA to protect your account!). “
X stressed that this change is not related to any security incident but is rather caused by the company’s upcoming migration from the twitter.com domain to x.com. As the security keys and passkeys are tied to the twitter.com domain, once it is retired, those keys will no longer work.
After November 10, accounts that have not re-enrolled will be locked until users either:
- Re-enroll their existing or new security key or passkey,
- Switch to another 2FA method, such as an authenticator app
- Disable 2FA altogether, which is strongly discouraged.
Users can manually complete the process by visiting x.com/settings/account/login_verification/security_keys, disabling their existing security keys, and then enrolling them again. To perform this process, you will need to enter your password to confirm your identity.
After performing this process, your security keys and passkeys will be associated with the x.com domain and will not be impacted when twitter.com is finally retired.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
