X says passkey reset isn't about a security issue – it's to finally kill off twitter.com
- Reference: 1761570420
- News link: https://www.theregister.co.uk/2025/10/27/x_passkey_reset/
- Source link:
The cryptic mandate from X Safety on Friday led many to suspect a security breach was behind it. When a platform forcibly rotate security keys, it's often a sign it is working through incident response protocols – eradicating adversaries from a network and keeping them out.
But on Sunday, Elon Musk's social media mouthpiece finally gave the all-important explanation: it pertained the twitter.com domain that's still in use and redirects to x.com.
[1]
"To clarify: this change is not related to any security concern, and only impacts Yubikeys and passkeys – not other 2FA methods (such as authenticator apps)," X Safety [2]stated .
[3]
[4]
"Security keys enrolled as a 2FA method are currently tied to the twitter.com domain. Re-enrolling your security key will associate them with x.com, allowing us to retire the Twitter domain."
Physical security key currently tied to the twitter.com domain won't work when users attempt to authenticate from the x.com domain, so they must be re-enrolled in preparation for what sounds like a sunsetting of the Twitter domain.
[5]
Christopher Stanley, security engineer at X and SpaceX, said he asked the Safety team to issue the clarification after seeing the puzzled reactions from some in the security community.
"Getting off of Twitter enrolled keys so we can stop doing hacky things for domain trust," he [6]responded to one user.
"Physical security keys are cryptographically registered to Twitter's domain and need to be re-enrolled under X."
Passkey push
The required re-enrollment of passkeys not only potentially signals the end of the Twitter domain, but also the company's commitment to the passkey revolution, which many others have joined.
[7]X to combat bot problem by showing more info about users
[8]UK minister suggests government could ditch 'dangerous' Elon Musk's X
[9]Amnesty slams Elon Musk's X for 'central role' in fueling 2024 UK riots
[10]X tells the French police 'non' to its request for algorithmic data
All the big tech companies are edging toward the passwordless future. Microsoft has [11]long told customers they won't have the option to [12]forgo the passwordless push , while Google keeps [13]adding features to increase users' trust in the new way of authenticating.
Passwords can be, and all too often are, stolen through various means. The method of authenticating is susceptible to attacks such as phishing and [14]social engineering .
[15]
As Reg readers know, in a passkey world passwords are replaced by physical devices - smartphones and laptops - used to access the online services that require authentication.
Passkeys make these [16]account attacks much more difficult to pull off, and in many cases nullify them.
While phishing attacks may drop significantly, cybercriminals always find alternative ways to break into organizations.
Passkeys don't solve the software vulnerabilities problem – separate, slow-going work continues on that front – and attempts to [17]recruit insiders to carry out attacks like ransomware will likely increase. ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aP-lJtBdhFCnASkDJNK-QwAAAUg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://x.com/safety/status/1982278858457174522?s=51
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aP-lJtBdhFCnASkDJNK-QwAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aP-lJtBdhFCnASkDJNK-QwAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aP-lJtBdhFCnASkDJNK-QwAAAUg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://x.com/cstanley/status/1982100744309268781
[7] https://www.theregister.com/2025/10/15/twitter_x_bot_show_user_info/
[8] https://www.theregister.com/2025/09/29/uk_government_x_twiter/
[9] https://www.theregister.com/2025/08/07/amnesty_x_uk_riots/
[10] https://www.theregister.com/2025/07/21/x_french_police/
[11] https://www.theregister.com/2025/05/04/security_news_in_brief/
[12] https://www.theregister.com/2024/12/18/microsoft_passkey_push/
[13] https://www.theregister.com/2025/10/16/google_gmail_trusted_contacts/
[14] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/personaltech&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aP-lJtBdhFCnASkDJNK-QwAAAUg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2025/08/27/ciscos_duo_identity_crisis/
[17] https://www.theregister.com/2025/09/15/finwise_insider_data_breach/
[18] https://whitepapers.theregister.com/
If they were silly enough to release it, it would be great if Nitter snapped it up.
Hmmm?
When the Twitter domain stops working, I wonder how much stuff will suddenly point to nothing.
Re: Hmmm?
Thank god for Archive.org. There was such a push for multi-platform integration between 2012 and ~2018 that all of the sites from that era are just totally broken from stuff like twitter dropping the twitter domain, and I can only imagine the effort it takes to archive some notable examples of those sites. Oh to be a fly on the wall watching historians try to detangle it all in a hundred years or so.
(past 2018 it's not that there was less of a push for multi-platform integration, it's just that Facebook, Twitter, Amazon etc. decided that there should be no other platforms than theirs :/ )
Re: Hmmm?
Thank god for Archive.org
you say that as if there'd be any great loss if twitter or indeed X stopped existing
I'm all for getting rid of passwords, but passkeys != security
Passkeys have security value because it stops password reuse across domains and eliminates the need to write them down if I didn't and forces the attacker to shift tactics. But stopping credential theft outright, not as much.
For years now attacks have shifted focused on post-authentication credentials. It doesn't matter at all how you authenticate an account if you leave the resulting shared secret lying about on your local device waiting for somebody to drop by and read it/use it. OAuth tokens are particularly bad here because they are frequently not validated against other factors like the sending host (or even if they are, clever reverse proxies are not that unheard of), or even password resets (looking at YOU Gmail password resets!), have a long lifespan (again Google) and are frequently renewable (Google).
Long, unique passwords are fine.
Passkeys are just more of a fiddle, exclude more people/tech/vendors and offer a new point of failure/hacking option.
it's fine until it stops working
"Microsoft has long told customers they won't have the option to forgo the passwordless push,"
One of my cousins has a Mac, and MS Office. Over the weekend, he got a message from his personal OneDrive that he needed to sign in. Except that there was a problem: the password did NOT unlock OneDrive. He got an error message (8004de44, he called me to fix the damn thing) and a request for a 'security key' (the Mac doesn't have a fingerprint reader) and could not activate. Changing the password made no difference. He could access OnDrive in his web browser, just as he could access his MS account, and MS Office; he had a OneDrive Business account, which works. MS 'support' were less than helpful. The personal OneDrive works on a Windows machine and on an iPad as well as in Firefox, Brave, and Vivaldi. Apple support said that this is an MS problem, not theirs, especially as it works on the iPad.
In Ye Olden Daze of just passwords there would have been no problem. Probably.
"Passwords can be, and all too often are, stolen through various means."
I'd rather use passwords than a security token. Misplacing my all-eggs-in-one-basket token would keep me from accessing *anything* on the Internet. It's like losing your wallet, and having to replace *all* of your credit and ID cards, but worse. Having *one* of my randomly-generated passwords (say, for an e-commerce site) compromised seems to be lower impact overall.
They're going to have to carry on paying for all the Twitter domains for as long as they exist. They'll never be able to release them back out for someone else to register.