X Removes 2FA Enforcement on Retired Twitter Domain

Gregory Zuckerman
By Gregory Zuckerman
Technology
5 Min Read

X is hanging up the Twitter.com domain — and the switch has a couple of crucial drawbacks for users who are particular about security. If you log in with a hardware security key or a passkey, you will need to re-enroll the credentials; otherwise you will get locked out after the migration completes.

What Is Changing in the X.com Migration, and Why It Matters

The company’s security team has verified that security keys and passkeys associated with the domain of Twitter.com will cease to function post-cutover to X.com. This is not a breach, this is not a vulnerability; it’s by design how modern authentication wants to protect you.

Table of Contents
A black YubiKey security key with a gold Y logo and a USB-A connector, presented on a professional light blue gradient background.

Hardware keys and passkeys rely on WebAuthn, a standard from the FIDO Alliance and W3C that cryptographically ties your credential to a “relying party” domain. To put it simply — a Twitter.com-registered key won’t automatically log in to X.com. Re-add your device to the domain so it recognizes the new one.

Who Must Act Now to Keep Their X.com Login Working

This is necessary for users who use security keys (like YubiKey, Google Titan, or a Feitian key).

The domain switch does not affect authenticator app codes or any other 2FA methods, the company says.

The safety team added that when a new security key is enrolled, it will overwrite an old one — unless all have been re-enrolled. That subtlety makes a difference for power users who carry multiple keys for redundancy.

How to Check Your 2FA Status and Re-enroll Securely

Navigate to Settings & privacy > Security and account access > Security > Two-factor authentication. If you’re affected, you should receive a prompt to re-enroll your existing key or add a new one. Follow the on-screen instructions to tap your key or enter your device’s passkey prompt and then click Enroll.

Best practice: Leave at least two factors active during the switch. If you remove your key temporarily, add an authenticator app as a backup so that you don’t get locked out while changing domains.

A professional image of six Yubico security keys in various form factors, including USB-A, USB-C, and Lightning connectors, arranged horizontally on a clean white background.

Security Implications and Context of the X.com Domain Change

The move emphasizes both the vigor and inflexibility of phishing-resistant authentication. These WebAuthn keys are powerful because they simply will not work on look-alike or otherwise malicious domains — which is precisely why a legitimate domain change must involve user action.

2FA has a low uptake on the platform historically. The company’s own transparency report previously indicated that only 2.3% of accounts had been utilizing any kind of two-factor authentication. Policy changes that reduced SMS codes for some users helped to encourage people toward authenticator apps and hardware keys. For those people, not enrolling again right now will result in needless exclusions.

If You Lose Access During the Switch, How to Recover

If you miss that cutoff and discover your account locked, you’ll need to re-enroll a security key, change over to an alternate 2FA approach, or proceed without 2FA in order to regain access. Security pros are unlikely to suggest you turn off 2FA en masse forever, but if for some reason you need to snap the feature off — do so temporarily only as much as needed to regroup and get back in, then snap that strong factor right back on where it belongs.

Watch out for phishing in this time frame. Scammers are known to be drawn to account migrations, which the FIDO Alliance and digital rights groups like EFF caution against. Only re-enroll through official security settings of the platform, and never give a one-time code to a stranger that would give access to your account.

The Bigger Rebrand Push Behind Retiring the Twitter.com Domain

The retirement of Twitter.com is something of a capstone to the platform’s rebrand. A domain migration touches every sign-in endpoint, whether it is mobile apps, browsers, or third-party integrations. More housekeeping to come as legacy mentions of the old name are killed off and system credentials realign with X.com.

Bottom line: if you depend on a hardware key or passkey, re-enroll it now so that your credential is enrolled against X.com.

It’s simple, it maintains strong, phishing-resistant protection, and it prevents an avoidable account lockout as the domain at long last changes hands.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News