The social media platform X, previously known as Twitter, has announced a mandatory re-enrollment process for users who have registered hardware security keys or passkeys as their two-factor authentication method. This requirement arises because the security keys are currently linked to the twitter.com domain, which is being deprecated in favor of the x.com domain as part of the platform's rebranding and domain retirement strategy. Users must complete the re-enrollment by November 10, 2025, to maintain uninterrupted access to their accounts. If users fail to re-enroll, their accounts will be locked until they either complete the re-enrollment, switch to an alternative 2FA method such as authenticator apps, or disable 2FA altogether (though disabling 2FA is discouraged). The re-enrollment process involves removing existing security keys and registering them again under the new domain, ensuring that the cryptographic association between the key and the service is updated. This change does not affect users who use other 2FA methods like authenticator apps or SMS-based 2FA (the latter being limited to non-premium users). The update is a procedural security measure rather than a vulnerability or exploit, designed to maintain the integrity and availability of user accounts during the domain transition. There are no known exploits in the wild related to this change, and the platform has communicated clear instructions to users to mitigate lockouts. The impact is primarily on user access continuity rather than a direct security compromise.

For European organizations and users relying on X for communication, marketing, or brand presence, failure to re-enroll security keys could lead to temporary account lockouts, disrupting business operations or personal communications. Organizations that use X accounts secured with hardware keys for critical communications may experience availability issues if users do not act before the deadline. This could lead to delays in social media campaigns, customer engagement, or crisis communications. Additionally, users who are less tech-savvy or unaware of the re-enrollment requirement may face access issues, potentially requiring support intervention. However, since this is not a vulnerability that allows unauthorized access, the confidentiality and integrity of accounts remain intact. The main risk is operational disruption due to loss of access. European companies with social media teams or executives using hardware keys for X accounts should proactively communicate this requirement to avoid lockouts. The impact is medium severity because it affects availability but does not expose accounts to compromise or data leakage.

European organizations should take proactive steps to ensure all users who use hardware security keys or passkeys for X accounts are informed about the re-enrollment deadline. This includes internal communications, training, and reminders well before November 10, 2025. IT and security teams should provide clear, step-by-step guidance on how to delete and re-register security keys under the new x.com domain. Organizations should consider auditing which employees use hardware keys for X and verify their re-enrollment status. For critical accounts, it may be prudent to enroll multiple security keys to provide redundancy. Users should be encouraged to test their access after re-enrollment to confirm functionality. Additionally, organizations should have contingency plans to switch to alternative 2FA methods temporarily if users face issues with hardware keys. Monitoring for any user lockouts or support tickets related to this change can help identify and resolve problems quickly. Finally, organizations should maintain awareness of further communications from X regarding authentication changes to adapt promptly.