X is migrating domains; re-enroll hardware 2FA keys now

Gregory Zuckerman
By Gregory Zuckerman
Technology
6 Min Read

Now is a good time to re-enroll if you use a physical security key to log in to X. The company is migrating its authentication to a new domain and branding, and any hardware keys or passkeys bound to the old domain will cease functioning after the deadline. Dismissing this point risks being locked out of your account with virtually no notice.

What changed in the move to x.com and who is affected

X has announced that the old twitter.com address for sign-ins is being put out to pasture. This is true for hardware security keys and newer passkeys as well, because both are cryptographically bound to a site’s domain—referred to in the WebAuthn spec (and Twitter infrastructure) as the relying party ID. Credentials added to example.twitter.com won’t validate on x.com. Therefore, you need to verify your key again.

Table of Contents
A black YubiKey security key with a gold Y logo and a USB-A connector, presented on a professional flat design background with soft blue and grey gradients and subtle geometric patterns.

This impacts those using hardware tokens (like YubiKey, Titan Security Key, or other FIDO2/U2F devices) as well as platform passkeys associated with the old domain. Time-based codes should still work since those are app-based from a real-time authenticator app. X staff insisted that this is a domain transition issue and does not represent a new security vulnerability.

Christopher Stanley, a security engineer working on X, xAI, and SpaceX, said the reason is clear-cut: physical security keys are bound to a domain, so moving to x.com means new enrollment and restoration of cryptographic trust without workarounds.

Why domain changes break hardware security keys

Per the FIDO2/WebAuthn standard, a security key creates site-unique keys and will only return a valid signature if it’s challenged by the exact domain (or an authorized subdomain) to which it was registered. It’s that snug fit that makes hardware keys so impervious to phishing—there is no “close enough” domain. On the plus side, it provides best-in-the-world protection; on the downside, you need a one-time re-registration of your credential to complete a move.

This model has a very good security history. Google said that when it required security keys for more than 85,000 employees, there were zero successful phishing-based account takeovers. Microsoft has long claimed that turning on any manner of multi-factor authentication blocks 99.9 percent of automated account compromise attacks. The FIDO Alliance would argue that these numbers point to the fact that possession-based authentication, when combined with explicit binding of an origin, substantially mitigates risk.

X domain migration alert urging re-enrollment of hardware security key 2FA

How to re-enroll your security keys and passkeys on X

It’s a process that takes a minute or two. On X, navigate to Settings, then Security and Account Access; select Two-Factor Authentication, then Manage Security Keys. Follow the on-screen instructions to add your existing hardware key again. If you use more than one key, like a primary and a backup, register both to the new domain.

It’s best to have two separate sign-in methods ready, if possible. If only as a fallback, consider still having an authenticator app enabled and safekeeping a second physical key somewhere. If you employ passkeys on your handset or laptop, make sure they are synchronized and recoverable from a secondary device if you lose access to the primary one.

What happens if you take no action before the cutoff

After the cutoff day, a twitter.com-registered key will not be able to log in on x.com. If you don’t have an additional active method, like an authenticator app, you may become locked out and directed into recovery flows that can be time-consuming and potentially require identity proofing. For creators, brands, and organizations, downtime can also be expensive.

Especially since X’s previous modifications to SMS 2FA availability. If you have been depending on that hardware key as your exclusive factor beyond a password, the fastest route to uninterrupted access is by re-enrolling now.

Key security takeaways now and what to expect next on X

  • While you are online, re-enroll all hardware keys and any passkeys you use so that they bind to x.com.
  • Maintain at least two factors in working condition: a primary hardware key and a backup (second key or authenticator app).
  • Make sure account recovery info is current and your email address and trusted devices are up to date.
  • For team-managed accounts, notify administrators and rotate keys among all members to ensure no one loses access.

Such a domain transition is mundane in the world of WebAuthn but does require explicit actions from users. Take a few minutes now to re-enroll your keys and you can continue with the phishing-resistant login protection that FIDO2 was developed to provide—no surprises, no lockouts.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News