Heads up if you protect your X account with a physical security key or passkey. X is moving its sign-in off the older legacy twitter.com domain—everyone using hardware-backed two-factor authentication must re-enroll their key to maintain access. If you fail to re-enroll, you risk being locked out when the deadline comes around.
What Is Changing and Who Is Affected by X’s Domain Move
The difference comes in the domain that X uses to authenticate. Security keys and passkeys are cryptographically bound to a given website identity, and many were initially registered on twitter.com. When X decommissions that domain for sign-in, keys bound to the old domain will cease to automatically validate and should be re-registered under x.com.
- What Is Changing and Who Is Affected by X’s Domain Move
- Why Security Keys Require Re-enrollment on X.com
- How to Re-enroll Your Security Key or Passkey Quickly
- Prevent a Lockout With These Practical Safeguards
- The Bigger Picture and Why It Matters for X Account Security
- What to Watch Next as X Migrates Its Sign-in Domains
This impacts hardware security keys like YubiKey, FEITIAN, or SoloKeys, as well as passkeys saved in services like iCloud Keychain or Google Password Manager.
App-based one-time codes (Google Authenticator, Microsoft Authenticator, or Authy) and SMS are not included in this change.
X security staff have presented the move as a domain trust cleanup rather than a reaction to a new vulnerability. In other words, this is the company unifying all of its cryptographic credentials on its updated brand domain so it no longer has to maintain workarounds for the old one.
Why Security Keys Require Re-enrollment on X.com
With the WebAuthn and FIDO2 standards, security keys verify the site you’re visiting with a “relying party ID,” which is usually the domain. That binding is a strong anti-phishing measure: a key that’s registered with twitter.com will ignore lookalike sites—including x.com. The site identity is part of the cryptographic handshake, so changing domains involves registering a fresh credential for the new domain.
The FIDO Alliance and NIST both suggest these phishing-resistant methods as the gold standard for account protection. The downside is that domain changes must be handled carefully to ensure the good guys aren’t locked out—hence this re-enrollment window.
How to Re-enroll Your Security Key or Passkey Quickly
On the web or via the mobile app, visit Settings, Security and account access, and Two-factor authentication. Choose Security keys or Passkeys, click Manage, and follow the instructions to either add your key or create a new passkey under x.com. If you have more than one key, enroll all of them.
Are you using a passkey from a device-bound manager (like iCloud Keychain on iOS or Google Password Manager on Android)? Launch the add flow from a device that has that passkey so the platform can make another credential for x.com. Plug in or tap as desired for cross-device USB/NFC keys when prompted.
Admins who control brand or organization accounts should review all 2FA steps for each member now, verify every security key is re-registered, and activate at least one backup sign-in step in case keys are lost.
Prevent a Lockout With These Practical Safeguards
- Use multiple security keys. FIDO guidance suggests two keys: a main one and a spare kept in a separate location. If a key is misplaced, the spare prevents an emergency restoration of an account.
- Store backup codes securely. If X offers single-use backup codes, keep them offline in a password manager or safe place. They can bridge access if your key or phone is unavailable.
- Have an authenticator app as a backup. TOTP codes are not as phishing-resistant as a hardware key, but they’re useful when you’re traveling or between devices.
The Bigger Picture and Why It Matters for X Account Security
Use of robust two-factor authentication on social media platforms is low. Only about 2–3% of the active user base had any form of 2FA enabled, according to a previous transparency report from the company’s pre-rebrand era, and significantly fewer used security keys. That’s even though NIST and security researchers alike have given clear guidance that methods backed by hardware go a long way in preventing account takeovers.
The stakes are higher on X, with SMS-based 2FA locked behind a paywall that drives more users toward authenticator apps and security keys. For those who switched to a phishing-resistant alternative, it is imperative that this one-time re-enrollment process be completed so your protection continues during this transition.
What to Watch Next as X Migrates Its Sign-in Domains
X has said the switch of domains should not disrupt app-based codes and stressed that there is no reason to believe a fresh security breach underpins the change. That said, any time a platform migrates identity infrastructure, edge cases can arise—particularly among enterprise teams and high-profile accounts, as well as among users who continue to use older keys.
Your safest course of action is to re-enroll your key now, verify that you can successfully sign out and sign back in, and ensure every team login still works. That sounds an awful lot like fighting off a hangover, yes? Anyway, it’s a five-minute job that can save you hours of repairing the damage—and keep your account protected with the best defenses available.
