X is preparing to put Twitter.com out to pasture, and the official @Safety account posted on Friday warning anyone using physical security keys or passkeys for 2FA that they will need to re-enroll them. According to X, if the login methods aren’t updated by November 10th, the associated accounts will be locked until the update process is completed, and abandoned accounts could possibly be sold.
Active users with keys attached to their accounts have been getting notifications about the impending change for a while, and the X Safety team explained the process in a clarification post: “This change is not related to any security concern, and only impacts Yubikeys and passkeys – not other 2FA methods (such as authenticator apps). Security keys enrolled as a 2FA method are currently tied to the twitter[.]com domain. Re-enrolling your security key will associate them with x[.]com, allowing us to retire the Twitter domain.”
Authentication methods like hardware keys and passkeys have to be updated for the same reason they help protect against phishing attacks that try to dupe you with fake Unicode characters or long addresses pointing to another website. They’re tied to the domain they were originally set up with, and won’t recognize another one, like a link using a “|” character to look like a lower-case L, or X.com instead of Twitter.com.
The security keys and passkeys are among the few remaining holdouts since X officially changed its domain over a year ago and abandoned its iconic blue bird mascot a year before that. There are still some last shreds of the old Twitter domain hanging on, though, like the page for embedding X posts.
