X just gave hardware security key users a two-week deadline that could lock them out of their accounts. The social platform announced it's retiring the Twitter.com domain for authentication, forcing anyone using YubiKeys or similar hardware for two-factor authentication to re-enroll their devices by November 10 or risk being locked out permanently.
X is forcing a security overhaul that puts millions of users on a tight deadline. The platform announced over the weekend that it's retiring the Twitter.com domain for authentication purposes, giving users until November 10 to re-register their hardware security keys or face being locked out of their accounts.
The move affects anyone using physical security keys like YubiKeys or passkeys for two-factor authentication. "By November 10, we're asking all accounts that use a security key as their two-factor authentication method to re-enroll their key to continue accessing X," the company's safety account posted Friday.
But this isn't just a routine security update. Christopher Stanley, a security engineer at X, xAI and SpaceX, revealed the technical reality behind the deadline. "Getting off of Twitter enrolled keys so we can stop doing hacky things for domain trust," he explained on the platform. "Physical security keys are cryptographically registered to Twitter's domain and need to be re-enrolled under X."
The announcement initially sparked confusion about whether this was a security incident, but X quickly clarified that other authentication methods remain untouched. Google Authenticator, Microsoft Authenticator, and Authy users can continue accessing their accounts normally. The domain change specifically targets hardware keys because they're cryptographically bound to the original Twitter.com domain.
This technical requirement exposes how deeply the Twitter infrastructure still runs beneath X's surface, nearly two years after Elon Musk's acquisition. While the platform has aggressively rebranded everything from its name to its iconic bird logo, core systems apparently still rely on Twitter's original domain structure.
The timing adds urgency to what might otherwise be routine maintenance. Users who miss the November 10 deadline could find themselves completely locked out of accounts they've secured with hardware keys - often the most security-conscious users on the platform. The company hasn't indicated whether it will offer grace periods or recovery options for users who miss the cutoff.
For affected users, the fix requires navigating to Settings, then Security and account access, followed by Two-factor authentication, and finally Manage security keys. From there, they can either re-enroll existing keys or add new ones under the X.com domain.
