X's mandatory security key migration has backfired spectacularly, trapping users in endless loops and locking them out of their accounts entirely. The platform's effort to retire the Twitter.com domain has turned into a security nightmare for users who relied on hardware keys and passkeys - precisely the people who took security most seriously.
X's attempt to finally bury the Twitter brand has turned into an authentication disaster. Users across social media are reporting they're trapped in endless loops trying to re-enroll their security keys, with many completely locked out of their accounts following a mandatory domain migration that went live this week.
The trouble started with what seemed like routine housekeeping. Back in October, X announced it was requiring users with passkeys or hardware security keys like YubiKeys to re-enroll their devices using the new x.com domain. The company warned that after November 10, accounts would be locked until users completed the switchover or chose a different two-factor authentication method.
But the technical reality proved messier than X anticipated. Passkeys and security keys are cryptographically bound to specific domains - in this case, the old twitter.com URL. Unlike password managers that can be updated with a few clicks, these security tokens can't simply be transferred over. Users have to manually un-enroll from Twitter.com and re-enroll with x.com, a process that's now failing for countless users.
The irony is painful: X's security migration is punishing exactly the users who took platform security most seriously. While users relying on authenticator apps remain unaffected, those who invested in dedicated hardware keys - often security professionals and privacy advocates - are finding themselves locked out.
"We're seeing reports across social media that users are getting stuck in endless loops," according to TechCrunch's security coverage. The authentication failures range from cryptic error messages to infinite redirect loops that prevent users from completing the re-enrollment process.
This latest operational stumble adds to X's growing list of technical issues under Elon Musk's ownership. Since acquiring Twitter for $44 billion, the platform has weathered massive staff cuts that gutted engineering teams and countless operational controversies.
The domain migration itself reflects Musk's broader effort to eliminate Twitter's branding entirely. X began redirecting twitter.com to x.com in May 2024, but the underlying technical infrastructure has proven more stubborn than the cosmetic changes. Authentication systems, API endpoints, and embedded security tokens all carry traces of the platform's previous identity.
