According to TechCrunch, Elon Musk’s X is experiencing widespread account lockouts following a mandatory two-factor authentication change that went into effect after November 10, 2024. The platform had announced on October 24 that users relying on passkeys or hardware security keys like Yubikeys needed to re-enroll using the x.com domain as part of retiring the older twitter.com domain. Users were warned they’d be locked out if they didn’t comply by the deadline, and now that deadline has passed, countless users are reporting being trapped in endless loops and unable to access their accounts. The core issue is that passkeys and security keys are digitally tied to the old twitter.com domain and can’t be transferred automatically. This marks another major operational failure for the $44 billion platform Musk acquired in 2022.
The technical mess behind the lockouts
Here’s the thing about security keys and passkeys – they’re not just simple passwords. They’re cryptographically tied to specific domains. When you set up a security key for twitter.com, it creates a unique relationship that can’t just be redirected when the domain changes. Basically, X is trying to force everyone over to x.com while the underlying security infrastructure can’t make that jump automatically.
And that’s where this whole thing falls apart. Users who relied on the most secure authentication methods are now completely locked out. They can’t log in to change their settings because their security keys don’t work, and they can’t set up new ones because they can’t get past the login screen. It’s a classic chicken-and-egg problem that should have been anticipated and handled better.
Another day, another Musk-era controversy
Since Musk took over Twitter and rebranded it to X, we’ve seen massive layoffs, constant feature changes, and now this security debacle. What’s particularly telling is that Musk himself seems unaffected – he’s been posting as usual while regular users can’t access their accounts. It really makes you wonder about the internal testing and rollout procedures at the company now.
Look, domain migrations are tricky, but they’re not exactly new territory. Companies change domains all the time without locking out their most security-conscious users. The fact that X gave users less than three weeks to make this critical security change, then apparently didn’t have proper fallback mechanisms in place, speaks volumes about their current operational maturity.
The security tradeoffs here are real
This situation creates a terrible dilemma for security-minded users. Do they downgrade to less secure authentication methods just to get back into their accounts? Or do they wait indefinitely for X to fix the mess? Many security professionals recommend hardware keys as the gold standard for account protection, and now those same users are being punished for following best practices.
X’s original announcement made it sound straightforward, but the reality has been anything but. When you’re dealing with security infrastructure that protects people’s accounts and potentially sensitive communications, you can’t afford these kinds of rollout failures. The trust erosion here is significant, and it’s another self-inflicted wound for a platform that can’t seem to catch a break.
