Lead: On October 24, X (formerly Twitter) told users who rely on passkeys or hardware security keys to re-enroll under the x.com domain; a November 10 deadline followed. After the cutover, many people reported getting stuck in loops or outright locked out when attempting to re-enroll keys tied to the old twitter.com domain. Authenticator-app users were not affected; passkeys and physical tokens such as YubiKeys, which are cryptographically bound to their original domain, were. The outage has reignited user concerns about the platform’s operational practices since Elon Musk’s acquisition.
Key Takeaways
- On October 24, X instructed users relying on passkeys or hardware security keys to re-enroll using x.com; the company set a November 10 deadline for the change.
- Passkeys and hardware security keys are domain-bound and cannot be transferred from twitter.com to x.com, requiring manual un-enroll/re-enroll.
- Numerous users reported error messages and endless re-enrollment loops after the November 10 deadline, leaving accounts inaccessible in many cases.
- Authenticator-app two‑factor setups were not impacted by the migration, according to X’s guidance.
- The domain switch from twitter.com to x.com took effect in May 2024; the recent step is part of that ongoing migration effort.
- Elon Musk, who acquired the company for $44 billion, continued posting on the platform as these issues unfolded; X has not issued a public, detailed fix at the time of reporting.
Background
The move to retire twitter.com and consolidate under x.com began publicly in May 2024 when the old domain started redirecting to the new one. That domain change has technical consequences beyond branding: modern authentication methods such as WebAuthn-based passkeys and many hardware tokens include the domain that created them in their cryptographic proof. When the domain changes, those credentials no longer match and cannot be used until re-registered.
Passkeys and hardware security keys (for example, YubiKeys) are widely recommended by security experts because they reduce phishing risk and strengthen two‑factor authentication (2FA). However, their domain-binding also makes coordinated migrations more complex; services must plan re-registration flows carefully to avoid locking users out. X’s October notice asked affected users to complete a re-enrollment step under x.com, warning that accounts could be locked after the November 10 cutoff.
Main Event
On October 24 X posted instructions asking users who use passkeys or hardware security keys as 2FA to re-enroll via the x.com domain. The company said authenticator apps were unaffected. X framed the request as a necessary step to complete the domain consolidation that began in May 2024.
After November 10, many users reported being unable to access their accounts. Complaints on social platforms described error messages during re-enrollment and loops that prevented completion of the process. In numerous cases, users who relied exclusively on passkeys or hardware tokens found themselves effectively locked out until they could access alternative recovery methods.
At the time of reporting, X had not published a comprehensive remediation plan or broad user outreach to explain recovery options. Elon Musk continued posting on the platform during the incident. The absence of an immediate, clear fix has left many users scrambling to regain access using secondary authentication methods or account recovery flows.
Analysis & Implications
Technically, passkeys and many hardware tokens follow the WebAuthn model: a credential is created with a specific relying party identifier (typically the domain) and cannot be migrated to another domain. That design is deliberate because it prevents replay attacks and phishing, but it also makes domain changes operationally risky if not handled with explicit migration tooling or staged user prompts.
The incident exposes trade-offs between strong security and operational resilience. While passkeys improve overall safety, the onus is on service operators to coordinate migrations and to provide fallback recovery channels. When those channels are incomplete or poorly communicated, users face account loss even though their credentials remain secure from attacker misuse.
For X, the problem is also reputational and regulatory. The company has undergone extensive organizational change since the $44 billion acquisition, and repeated service disruptions increase scrutiny from regulators and users. Firms handling authentication for millions of users are expected to plan and test migrations; failure to do so can invite complaints and possible investigations if users lose access to critical accounts.
Practically, the immediate priority for affected users is to find alternate recovery methods (backup codes, linked email, phone, or authenticator apps) and for X to publish a clear, step‑by‑step recovery guide. Longer term, platforms should implement staged migration tooling that allows credentials to be re-provisioned without locking accounts or provide automated fallback verification that maintains security assurances.
Comparison & Data
| Authentication Method | Affected by twitter.com → x.com |
|---|---|
| Passkeys / WebAuthn-bound keys | Yes — domain-bound, require re-enroll |
| Hardware security keys (e.g., YubiKey) | Yes — treated like passkeys if created for twitter.com |
| Authenticator app (TOTP) | No — unaffected by domain change |
| Password + SMS / Email recovery | Varies — depends on recovery configuration |
The table shows which common 2FA types were impacted by the domain migration. In short: cryptographic credentials tied to a specific domain require explicit re-registration, while time-based codes generated by authenticator apps do not depend on domain binding and continued to function as before.
Reactions & Quotes
“We’re seeing reports across social media that users are getting stuck in endless loops and, in some cases, getting locked out,”
TechCrunch (media reporting)
“Users must re-enroll passkeys under x.com; accounts may be locked after the deadline,”
X post (official announcement)
“Passkeys and security keys are cryptographically tied to the domain that created them.”
WebAuthn (W3C, technical)
Unconfirmed
- Scale of the lockouts — there is no public, company-provided figure for how many accounts were affected as of publication.
- Whether any account data or credentials beyond access disruption were exposed — TechCrunch’s reporting does not indicate data breach or credential compromise.
Bottom Line
The episode illustrates a predictable technical consequence of a domain migration that appears not to have been fully operationalized: highly secure authentication methods require coordinated re-registration flows or robust recovery options to avoid locking legitimate users out. X’s decision to set a hard deadline without an apparent backstop produced real user harm in the form of account inaccessibility.
For users, the immediate steps are practical: try alternate recovery routes (backup codes, linked email/phone, authenticator apps) and contact support if available. For platforms, the lesson is clear: strong authentication is valuable, but migrations must include tested user journeys and explicit fallback mechanisms to preserve access while maintaining security.
Sources
- TechCrunch — media report covering the incident (reporting)
- W3C WebAuthn specification — technical standard explaining domain‑bound credentials (technical/standards)
- X (formerly Twitter) — platform / official posts and help pages (official)
- Yubico — hardware security key vendor (vendor support)