Sign in Subscribe
News

X Asks Users to Re-register Passkeys or Their Accounts Will Be Blocked

X Asks Users to Re-register Passkeys or Their Accounts Will Be Blocked

Social network X (formerly Twitter) has warned users they must re-register their hardware security keys and passkeys used for two-factor authentication (2FA) by November 10. Failure to comply will result in account lockouts.

The warning applies only to users who rely on passkeys or hardware keys like YubiKey for 2FA. Both methods are considered highly effective defenses against phishing attacks because identity verification occurs through cryptographic keys stored on a device or operating system, rather than traditional passwords that can be compromised by info-stealers and phishing campaigns.

The Deadline and Its Consequences

"By November 10th, we are asking all accounts using security keys for 2FA to re-register them to continue accessing X," the company announced via its official Safety account.

Users can either re-register an existing key or add a new one. However, X warned that registering a new key will immediately invalidate all previously registered keys.

After November 10, accounts without updated keys will be locked. Users can regain access through three methods: re-registering their security key or passkey, switching to an alternative 2FA method such as an authenticator app, or completely disabling two-factor authentication—though X strongly advises against the latter option.

Why the Change Is Necessary

Company representatives emphasized that this requirement is not related to any security breach or cyber incident. Instead, the mandate stems from X's ongoing migration from the twitter.com domain to x.com.

Security keys and passkeys are cryptographically bound to specific domains—in this case, twitter.com. Once the old domain is fully deprecated, these keys will cease functioning entirely.

How to Re-register Your Keys

To manually re-register security keys, users should navigate to x.com/settings/account/login_verification/security_keys, disable their existing security keys, and register them again. A password will be required to confirm identity during this process.

Once completed, the security keys and passkeys will be bound to the x.com domain and will continue functioning after the company fully transitions away from twitter.com.

Read next