X (formerly Twitter) sparked security concerns over the weekend when it announced users must re-enroll their security keys by November 10 or face account lockouts — without initially explaining why.
The cryptic mandate from X Safety on Friday led many to suspect a security breach was behind it. When a platform forcibly rotate security keys, it’s often a sign it is working through incident response protocols – eradicating adversaries from a network and keeping them out.
But on Sunday, Elon Musk’s social media mouthpiece finally gave the all-important explanation: it pertained the twitter.com domain that’s still in use and redirects to x.com.
“To clarify: this change is not related to any security concern, and only impacts Yubikeys and passkeys – not other 2FA methods (such as authenticator apps),” X Safety stated.
“Security keys enrolled as a 2FA method are currently tied to the twitter.com domain. Re-enrolling your security key will associate them with x.com, allowing us to retire the Twitter domain.”
Physical security key currently tied to the twitter.com domain won’t work when users attempt to authenticate from the x.com domain, so they must be re-enrolled in preparation for what sounds like a sunsetting of the Twitter domain.
Christopher Stanley, security engineer at X and SpaceX, said he asked the Safety team to issue the clarification after seeing the puzzled reactions from some in the security community.
“Getting off of Twitter enrolled keys so we can stop doing hacky things for domain trust,” he responded to one user.
“Physical security keys are cryptographically registered to Twitter’s domain and need to be re-enrolled under X.”
Passkey push
The required re-enrollment of passkeys not only potentially signals the end of the Twitter domain, but also the company’s commitment to the passkey revolution, which many others have joined.
All the big tech companies are edging toward the passwordless future. Microsoft has long told customers they won’t have the option to forgo the passwordless push, while Google keeps adding features to increase users’ trust in the new way of authenticating.
Passwords can be, and all too often are, stolen through various means. The method of authenticating is susceptible to attacks such as phishing and social engineering.
As Reg readers know, in a passkey world passwords are replaced by physical devices – smartphones and laptops – used to access the online services that require authentication.
Passkeys make these account attacks much more difficult to pull off, and in many cases nullify them.
While phishing attacks may drop significantly, cybercriminals always find alternative ways to break into organizations.
Passkeys don’t solve the software vulnerabilities problem – separate, slow-going work continues on that front – and attempts to recruit insiders to carry out attacks like ransomware will likely increase. ®