Users Stuck in YubiKey Re-Enrollment Loop on X (Twitter)

Same here - simply cannot fix it, and it's somewhat annoying that it talks about Yubikeys when I'm only using on-device security keys instead. Must be very confusing for many others!

Same here, been reporting the broken flow to customer support. An interesting part is the "we'll send you an email to confirm you're you", followed by a "enter validation code here" screen that immediately gets forwarded to the re-enrollment message. Also, no confirmation emails are being sent. Very surprised to see this being deployed to prod.

This might never be fixed.

I am stuck in this loop as well. All devices, all attempts to clear cookies, log out and back in, etc, don't work.

"Get a YubiKey," they said. "It'll be fun!," they said.

Grrrrr.....stuck like Chuck.

they just fixed it for me (well I'm not stuck in the loop anymore idk if they "fixed" fixed it yet)

My account seems to be back, I didn't do anything. Just went to X and now it loads.

Now to see what configuration is set for 2fa on my account...

Looks like my traditional 2fa method was removed and only the security key is left.

Looks like they reverted the changes, I was able to get back in.

Same here on 2 accounts, both having 2fa through a HW key(yubikey; though passkeys have the same behavior). At some point today(few hours ago) both my desktop and phone got reditected to x.com/account/access, where the loop started.

Frustratingly enough, i had already done the "re-enrollment" a long time ago(basically when they announced it was mandatory), but it seems like that was pointless(hopefully not).

I saw some prompts about birdhouse, re-did the enrollment, and badly enough (I think i dug my own hole with this one) it asked to remove the other 2FA option (SMS), to which I clicked yes.

This might sound bad but I sincerely hope X fixes it somehow, and all the keys enrolled/re-(re-[etc])-enrolled are not lost, especially those that were not added today. It might be a good idea (in practice, bad for security) to disable this new "https://x.com/account/access?flow=two-factor-security-key-po..." garbage fully, as I don't see myself contacting X support anytime soon(for obvious reasons).

Prompted a couple of times only on the mobile device. I have a YibiKey 4 so it's inconvenient to do it with a USB-C to USB-A adapter. Ignored it for a while and eventually I wasn't able to use X without "re-enroll".

So I did it on a laptop. The process seemed legit, the entire flow was weird and not intuitive, I had to stop and read twice before proceeding (e.g. "Where to store passkey", disable all other MFA ans only use Security Key, a backup recovery code was given...). After going through all that, find myself locked out of X because of the infinite re-enroll loop, OMG.

Contacted support, let's see how long it takes. After this, I don't think I'll continue to use Security Key with X...

Oh wow, here's the thread I was looking for.

I'm stuck in the same loop and effectively locked out of my account. I wanted to complain about this on X and of course I can't do that. I also wanted to see if I was the only one affected or it was more widespread, but of course being logged out it's impossible.

Thankfully there's still HN :)

Same for me. I've seen many people being back to normal though.

I re-enrolled on mobile using a Yubikey NFC with the iOS app back in October when prompted.

Force logged-out today from a session on Desktop Chrome. Stuck in the loop. Force logged-out on iOS app.

Burnt recovery code in further attempts.

Tried again when support asked me to by email. Got a "suspicious login attempt prevented" message. That's 2 hours ago. Silence from support since.

Tried again, back to the loop (the "suspicious login attempt" message is gone), but I'm still not able to re-enroll the key.

Anyone can describe their setup that managed to login again?

Grok says they are reverting the changes now, should be fixed soon. Funny I can still get in to Gork.

Got here after finding myself stuck in that exact loop (which initially I assumed was a phishing attempt from a webview ad link I thought I accidentally clicked).

Looks like some users who have never used or heard of Yubikey report being locked out and stuck in the same loop.

im not alone. i have all same problem. Anyone know what happened?

Stuck in this loop also. Even re-enrolling with different Yubikeys didn't seem to solve this. It's persisting across different devices as well, happening both on iOS and on desktop.

locked as well rip

stuck but I've never used any hardware security keys on my account

Woke up thinking this was a bug with my device. Then I saw the email code thing, and figured I had misconfigured my domain DNS or forgotten to renew it. Who would've thought it was just x.com being x.com. Hopefully they fix it soon, this is ridiculous.

good to know I'm not alone, can't figure out how to get out of the re-enroll deadlock.

Also stuck in this endless loop.

This fixes it for me: - Open incognito - Go to https://x.com/settings/security_and_account_access - Log in, somehow this won't trigger that re-enroll loop - Disable two-factor auth in the settings - Log back in your regular browser tab

Yeah same for me, re-registering the Passkey in Bitwarden worked but it just loops after that with the same message. "Testing in prod" I guess.

EDIT: they fixed it now

nice to know i'm not specifically fucked here i guess

I've been trying to re-enroll mine when they prompted me previously and it didn't work then, I have no idea why they decided to force it when enrollment wasn't working already.

The post is gaining traction as more than a dozen users, including me, report the same issue.

Same here stuck in the Loop myself Added Iphone passkey tried loggin in but nothing

I'm stuck .... how can this go to prod.

I take solace in the fact that for this one time i'm not the only one stuck in a bs purgatory. Is it too much to ask of a roman-saluting trillionaire to not break basic things?

Same here, I've re-enrolled my Yubikeys 3 times so far, to the point that trying a full re-login asks "what do you want to use for 2FA?" and the list is 6+ generic named "Security Key".

Same problem here. Got logged out 30 min ago, can’t get back in. This is what happens when you hire Indians.

FFS. Me to.

me too, first time I heard about this Yubikey and they said that I needed to re-enroll to unlock... This just shows how weak we are in the social network era.

one of the reasons i waited so long to do it is bc i knew twitter would fuck it up... and lo and behold they now force you to... anddddd they fucked it up

Now it works, at least for me. Try now!

Kind of crazy this made it into production, one would think the geniuses at the everything app would be using security keys themselves and would have more interest than usual in making sure the enrollment process is flawless...

same

Also happening here across two accounts.

What happened to phased rollouts in production?

What a shitty UX, the only account I could sign in into was an old unused one

I don't even know what a Yubikey is and I'm stuck in this loop

smh. who pushed this nonsense to prod. I'm locked out too lol

Happened to me as well.

Side note, why isn't this on the front page? The points to recency ratio seems high enough.

Looks like they only test in `prod`. Probably they used grok to generate the tests code ;)

Yep, this is me as well.

Same here, tried 3 times and it seemed to be endless.

See also:

https://www.reddit.com/r/Twitter/comments/1ovd3wz/im_not_abl...

https://www.windowscentral.com/software-apps/live/x-goes-dow...

Glad to hear I'm not alone. Just made an account on this website to type this lol.

The twitter login loops are somehow WORSE than the Microsoft login page, which is crazy to believe. I have tried to save the passkey using Bitwarden and that also doesn't work, they clearly broke something.

Same - this should be a major SEV

me too