CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

X Security Key Re-enrollment Required by November 10, 2025

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

X is requiring users who have enrolled in two-factor authentication (2FA) with security keys to re-enroll their keys by November 10, 2025, to avoid account lockouts. This change is part of the platform's transition away from the twitter[.]com domain. Users must re-enroll their security keys or choose an alternative 2FA method to maintain access to their accounts. The move affects users who have enrolled 2FA using hardware security keys like Yubikeys. The platform supports other 2FA methods, including authenticator apps and text messages (for non-Premium subscribers). Users can re-enroll their security keys by visiting x.com/settings/account/login_verification/security_keys. Re-enrolling a new security key will disable any previously enrolled keys unless they are also re-enrolled. The change is not related to any security incident but is due to the migration from the twitter.com domain to x.com.

Timeline

  1. 27.10.2025 18:12 2 articles · 1d ago

    X Mandates Security Key Re-enrollment by November 10, 2025

    Users must re-enroll their security keys or choose an alternative 2FA method to maintain access to their accounts. The change is part of the platform's transition away from the twitter[.]com domain. Users can re-enroll their security keys by visiting x.com/settings/account/login_verification/security_keys. Re-enrolling a new security key will disable any previously enrolled keys unless they are also re-enrolled. The change is not related to any security incident but is due to the migration from the twitter.com domain to x.com.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Synced Passkeys Vulnerable to Enterprise Attacks

Synced passkeys, which are credentials stored in an authenticator and synced across devices through cloud services, pose significant security risks for enterprises. These risks include cloud account takeovers, authentication downgrade attacks, and browser-based security vulnerabilities. Device-bound passkeys in hardware security keys offer higher assurance and better administrative control, and should be mandatory for enterprise access use cases. Synced passkeys shift the trust boundary to cloud accounts and recovery workflows, expanding the attack surface. Adversaries can exploit these vulnerabilities to gain unauthorized access to enterprise systems. Organizations should prioritize device-bound passkeys to enhance security.

Open in new tab

Adoption and Security of Passkeys in Passwordless Authentication

Passkeys, a form of passwordless authentication based on public key cryptography, are gaining traction as a more secure alternative to traditional passwords. They are increasingly adopted by major organizations, including Microsoft and Aflac, due to their enhanced security and user convenience. However, passkeys come with challenges such as device dependency, complex setup, and limited compatibility with legacy systems. Passkeys use a key pair: a public key stored by the service and a private key that stays on the user's device. This method prevents phishing, brute force, and dictionary attacks, as the private key never leaves the device. Even if a database is breached, the public keys are useless without the corresponding private key. Despite their advantages, passkeys face barriers like complexity, costs, and lack of clarity. Organizations may need to run hybrid models during the transition, maintaining strong password hygiene where passkeys are not yet feasible.

Open in new tab