"X (formerly Twitter) sparked security concerns over the weekend when it announced users must re-enroll their security keys by November 10 or face account lockouts - without initially explaining why. The cryptic mandate from X Safety on Friday led many to suspect a security breach was behind it. When a platform forcibly rotate security keys, it's often a sign it is working through incident response protocols - eradicating adversaries from a network and keeping them out."
"But on Sunday, Elon Musk's social media mouthpiece finally gave the all-important explanation: it pertained the twitter.com domain that's still in use and redirects to x.com. "To clarify: this change is not related to any security concern, and only impacts Yubikeys and passkeys - not other 2FA methods (such as authenticator apps)," X Safety stated. "Security keys enrolled as a 2FA method are currently tied to the twitter.com domain. Re-enrolling your security key will associate them with x.com, allowing us to retire the Twitter domain.""
X required users to re-enroll security keys by November 10 or face lockouts. The mandate initially lacked an explanation and raised breach concerns because forced key rotation often indicates incident response. X later clarified the change was not security-related and affects only YubiKeys and passkeys, not other 2FA methods. Security keys were cryptographically tied to the twitter.com domain; re-enrollment will bind them to x.com so the Twitter domain can be retired. Physical security keys tied to twitter.com will not authenticate on x.com. An X security engineer confirmed the domain trust change. Re-enrollment of passkeys signals commitment to a passwordless future.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]