{"id":4289,"date":"2025-11-13T08:04:07","date_gmt":"2025-11-13T08:04:07","guid":{"rendered":"https:\/\/readtrends.com\/en\/x-security-key-switchover\/"},"modified":"2025-11-13T08:04:07","modified_gmt":"2025-11-13T08:04:07","slug":"x-security-key-switchover","status":"publish","type":"post","link":"https:\/\/readtrends.com\/en\/x-security-key-switchover\/","title":{"rendered":"X\u2019s security key switchover locked users out after passkey migration error"},"content":{"rendered":"<article>\n<p><strong>Lead:<\/strong> On October 24, X (formerly Twitter) told users who rely on passkeys or hardware security keys to re-enroll under the x.com domain; a November 10 deadline followed. After the cutover, many people reported getting stuck in loops or outright locked out when attempting to re-enroll keys tied to the old twitter.com domain. Authenticator-app users were not affected; passkeys and physical tokens such as YubiKeys, which are cryptographically bound to their original domain, were. The outage has reignited user concerns about the platform\u2019s operational practices since Elon Musk\u2019s acquisition.<\/p>\n<h2>Key Takeaways<\/h2>\n<ul>\n<li>On October 24, X instructed users relying on passkeys or hardware security keys to re-enroll using x.com; the company set a November 10 deadline for the change.<\/li>\n<li>Passkeys and hardware security keys are domain-bound and cannot be transferred from twitter.com to x.com, requiring manual un-enroll\/re-enroll.<\/li>\n<li>Numerous users reported error messages and endless re-enrollment loops after the November 10 deadline, leaving accounts inaccessible in many cases.<\/li>\n<li>Authenticator-app two\u2011factor setups were not impacted by the migration, according to X\u2019s guidance.<\/li>\n<li>The domain switch from twitter.com to x.com took effect in May 2024; the recent step is part of that ongoing migration effort.<\/li>\n<li>Elon Musk, who acquired the company for $44 billion, continued posting on the platform as these issues unfolded; X has not issued a public, detailed fix at the time of reporting.<\/li>\n<\/ul>\n<h2>Background<\/h2>\n<p>The move to retire twitter.com and consolidate under x.com began publicly in May 2024 when the old domain started redirecting to the new one. That domain change has technical consequences beyond branding: modern authentication methods such as WebAuthn-based passkeys and many hardware tokens include the domain that created them in their cryptographic proof. When the domain changes, those credentials no longer match and cannot be used until re-registered.<\/p>\n<p>Passkeys and hardware security keys (for example, YubiKeys) are widely recommended by security experts because they reduce phishing risk and strengthen two\u2011factor authentication (2FA). However, their domain-binding also makes coordinated migrations more complex; services must plan re-registration flows carefully to avoid locking users out. X\u2019s October notice asked affected users to complete a re-enrollment step under x.com, warning that accounts could be locked after the November 10 cutoff.<\/p>\n<h2>Main Event<\/h2>\n<p>On October 24 X posted instructions asking users who use passkeys or hardware security keys as 2FA to re-enroll via the x.com domain. The company said authenticator apps were unaffected. X framed the request as a necessary step to complete the domain consolidation that began in May 2024.<\/p>\n<p>After November 10, many users reported being unable to access their accounts. Complaints on social platforms described error messages during re-enrollment and loops that prevented completion of the process. In numerous cases, users who relied exclusively on passkeys or hardware tokens found themselves effectively locked out until they could access alternative recovery methods.<\/p>\n<p>At the time of reporting, X had not published a comprehensive remediation plan or broad user outreach to explain recovery options. Elon Musk continued posting on the platform during the incident. The absence of an immediate, clear fix has left many users scrambling to regain access using secondary authentication methods or account recovery flows.<\/p>\n<h2>Analysis &#038; Implications<\/h2>\n<p>Technically, passkeys and many hardware tokens follow the WebAuthn model: a credential is created with a specific relying party identifier (typically the domain) and cannot be migrated to another domain. That design is deliberate because it prevents replay attacks and phishing, but it also makes domain changes operationally risky if not handled with explicit migration tooling or staged user prompts.<\/p>\n<p>The incident exposes trade-offs between strong security and operational resilience. While passkeys improve overall safety, the onus is on service operators to coordinate migrations and to provide fallback recovery channels. When those channels are incomplete or poorly communicated, users face account loss even though their credentials remain secure from attacker misuse.<\/p>\n<p>For X, the problem is also reputational and regulatory. The company has undergone extensive organizational change since the $44 billion acquisition, and repeated service disruptions increase scrutiny from regulators and users. Firms handling authentication for millions of users are expected to plan and test migrations; failure to do so can invite complaints and possible investigations if users lose access to critical accounts.<\/p>\n<p>Practically, the immediate priority for affected users is to find alternate recovery methods (backup codes, linked email, phone, or authenticator apps) and for X to publish a clear, step\u2011by\u2011step recovery guide. Longer term, platforms should implement staged migration tooling that allows credentials to be re-provisioned without locking accounts or provide automated fallback verification that maintains security assurances.<\/p>\n<h2>Comparison &#038; Data<\/h2>\n<figure>\n<table>\n<thead>\n<tr>\n<th>Authentication Method<\/th>\n<th>Affected by twitter.com \u2192 x.com<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Passkeys \/ WebAuthn-bound keys<\/td>\n<td>Yes \u2014 domain-bound, require re-enroll<\/td>\n<\/tr>\n<tr>\n<td>Hardware security keys (e.g., YubiKey)<\/td>\n<td>Yes \u2014 treated like passkeys if created for twitter.com<\/td>\n<\/tr>\n<tr>\n<td>Authenticator app (TOTP)<\/td>\n<td>No \u2014 unaffected by domain change<\/td>\n<\/tr>\n<tr>\n<td>Password + SMS \/ Email recovery<\/td>\n<td>Varies \u2014 depends on recovery configuration<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>The table shows which common 2FA types were impacted by the domain migration. In short: cryptographic credentials tied to a specific domain require explicit re-registration, while time-based codes generated by authenticator apps do not depend on domain binding and continued to function as before.<\/p>\n<h2>Reactions &#038; Quotes<\/h2>\n<blockquote>\n<p>\u201cWe\u2019re seeing reports across social media that users are getting stuck in endless loops and, in some cases, getting locked out,\u201d<\/p>\n<p><cite>TechCrunch (media reporting)<\/cite><\/p><\/blockquote>\n<blockquote>\n<p>\u201cUsers must re-enroll passkeys under x.com; accounts may be locked after the deadline,\u201d<\/p>\n<p><cite>X post (official announcement)<\/cite><\/p><\/blockquote>\n<blockquote>\n<p>\u201cPasskeys and security keys are cryptographically tied to the domain that created them.\u201d<\/p>\n<p><cite>WebAuthn (W3C, technical)<\/cite><\/p><\/blockquote>\n<h2>\n<aside>\n<details>\n<summary>Explainer: passkeys, hardware keys and domain binding<\/summary>\n<p>Passkeys (WebAuthn) are public-key credentials stored on a device or cloud vault; they cryptographically prove a user\u2019s identity to a specific relying party identifier (usually a website domain). Hardware security keys, such as those from Yubico, implement the same cryptographic model in a physical token. Because the credential embeds the origin (domain) that created it, a domain change requires the user to register a new credential on the new domain. This design defends against phishing but requires careful migration planning when sites change domains or consolidate services.<\/p>\n<\/details>\n<\/aside>\n<\/h2>\n<h2>Unconfirmed<\/h2>\n<ul>\n<li>Scale of the lockouts \u2014 there is no public, company-provided figure for how many accounts were affected as of publication.<\/li>\n<li>Whether any account data or credentials beyond access disruption were exposed \u2014 TechCrunch\u2019s reporting does not indicate data breach or credential compromise.<\/li>\n<\/ul>\n<h2>Bottom Line<\/h2>\n<p>The episode illustrates a predictable technical consequence of a domain migration that appears not to have been fully operationalized: highly secure authentication methods require coordinated re-registration flows or robust recovery options to avoid locking legitimate users out. X\u2019s decision to set a hard deadline without an apparent backstop produced real user harm in the form of account inaccessibility.<\/p>\n<p>For users, the immediate steps are practical: try alternate recovery routes (backup codes, linked email\/phone, authenticator apps) and contact support if available. For platforms, the lesson is clear: strong authentication is valuable, but migrations must include tested user journeys and explicit fallback mechanisms to preserve access while maintaining security.<\/p>\n<h2>Sources<\/h2>\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2025\/11\/12\/elon-musks-x-botched-its-security-key-switchover-locking-users-out\/\" target=\"_blank\" rel=\"noopener\">TechCrunch<\/a> \u2014 media report covering the incident (reporting)<\/li>\n<li><a href=\"https:\/\/www.w3.org\/TR\/webauthn\/\" target=\"_blank\" rel=\"noopener\">W3C WebAuthn specification<\/a> \u2014 technical standard explaining domain\u2011bound credentials (technical\/standards)<\/li>\n<li><a href=\"https:\/\/x.com\/\">X (formerly Twitter)<\/a> \u2014 platform \/ official posts and help pages (official)<\/li>\n<li><a href=\"https:\/\/www.yubico.com\/\" target=\"_blank\" rel=\"noopener\">Yubico<\/a> \u2014 hardware security key vendor (vendor support)<\/li>\n<\/ul>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>Lead: On October 24, X (formerly Twitter) told users who rely on passkeys or hardware security keys to re-enroll under the x.com domain; a November 10 deadline followed. After the cutover, many people reported getting stuck in loops or outright locked out when attempting to re-enroll keys tied to the old twitter.com domain. Authenticator-app users &#8230; <a title=\"X\u2019s security key switchover locked users out after passkey migration error\" class=\"read-more\" href=\"https:\/\/readtrends.com\/en\/x-security-key-switchover\/\" aria-label=\"Read more about X\u2019s security key switchover locked users out after passkey migration error\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":4288,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"X\u2019s security key switchover locked users out - NewsLab","rank_math_description":"After X asked passkey and hardware-key users to re-enroll under x.com, a November 10 deadline left many stuck in loops or locked out. What happened and how users can recover.","rank_math_focus_keyword":"X,security key,passkey,2FA,domain migration","footnotes":""},"categories":[2],"tags":[],"class_list":["post-4289","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-top-stories"],"_links":{"self":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/posts\/4289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/comments?post=4289"}],"version-history":[{"count":0,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/posts\/4289\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/media\/4288"}],"wp:attachment":[{"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/media?parent=4289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/categories?post=4289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/readtrends.com\/en\/wp-json\/wp\/v2\/tags?post=4289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}