X goes down hard with a security ‘YubiKey’ error affecting millions of Twitter users

As of 3 PM ET, I was able to finally log into my personal account for the first time without the YubiKey request error, suggesting X's software rollback is finally propagating to all servers.

Likewise, Down Detector now shows a slight downward trend, which also likely means we're coming to the end of this debacle.

Some other users have shared their experience:

"I got stuck in the same infinite loop - completely locked out now, they flagged the account for suspicious log in activity". — TescoValueSoup

"Same here, stuck in the same infinite loop. I actually managed to renroll my Yubikey on my mobile through NFC, and it just keeps looping through "you must re-enroll" even though I've done the re-enrollment". — bigbearandy

"I don't have a yubikey. But I was also required to update that, and without any other options.

I think the team sucks, especially for security issues! When I applied for downloading my data, the page also kept enrolling. What a rubbish!" — ImprovementSerious46

As we come up on the first hour of X being down and locking users out of their accounts, we can still see many reports coming into Down Detector.

Per one thread on Reddit, we can get a better idea of what people are experiencing. AuronQuake writes:

"Hi, I am not able to login to my account. The website is asking me to upgrade my passkey. I used biometric authentication (Touch ID on my MacBook and FaceID on my iPhone) to setup a passkey months ago, but now when I try to login to x.com it says "You must re-enroll your yubikey. It’ll just take a few minutes to re-enroll. Re-enrolling your yubikey will associate it with x.com, allowing us to retire the Twitter domain."

I don't use a physical security key like a yubikey for my passkey. When I try to create a new passkey by clicking "get started" it doesn't give me an option to use Touch ID on my MacBook, but instead wants me to insert a yubikey into my MacBook. I can't login to X.com to remove my previous passkey and add a new one because I can't get past this passkey upgrade page. It's also appearing on the X app on my phone. Please help."

Interestingly, Windows Central has had some personal reports that even users who never owned or registered a YubiKey (a physical USB key, see above photo) are having this issue, suggesting that there is some overlap with 2FA methods, which is causing the problem.

Even more frustrating are users who have a YubiKey and also can't log in, so going out and buying one won't solve your issue.

As part of the explanation for the problem, we can cite an article from our colleagues at TechRadar, which wrote about X killing the Twitter.com domain, and the potential to cause issues with 2FA.

"The news of the impending deprecation of the classic domain comes by way of X Safety. The account posted a...er..X telling everyone that by November 10, they want all accounts using security keys as 2FA (two-factor authentication) "to reneroll their key to continue accessing X."

This seems to be directly related to today's outage, as the error message people get mentions this domain shift.

Per sources of Windows Central, X's engineers are reverting the recent changes, and we should see service restored soon.

(Edited for clarity)

If you can’t access your X (Twitter) account, you’re not alone. It appears that thousands (if not millions) of accounts are being locked out with the same error:

"You must re-enroll your yubikey

It’ll just take a few minutes to re-enroll. Re-enrolling your yubikey will associate it with x.com, allowing us to retire the Twitter domain."

Of course, when you try to do the above, even if you never had a YubiKey, the system just loops around with a verification code error, keeping people perpetually logged out.

Looking at DownDetector.com, it’s clear that there is a significant issue starting at around 1:30 PM ET. Likewise, users on Reddit are also reporting the same problem, in addition to some of the Windows Central staff.

Developing …