Users Stuck in YubiKey Re-Enrollment Loop on X (Twitter)

Same here, been reporting the broken flow to customer support. An interesting part is the "we'll send you an email to confirm you're you", followed by a "enter validation code here" screen that immediately gets forwarded to the re-enrollment message. Also, no confirmation emails are being sent. Very surprised to see this being deployed to prod.

Same here on 2 accounts, both having 2fa through a HW key(yubikey; though passkeys have the same behavior). At some point today(few hours ago) both my desktop and phone got reditected to x.com/account/access, where the loop started.

Frustratingly enough, i had already done the "re-enrollment" a long time ago(basically when they announced it was mandatory), but it seems like that was pointless(hopefully not).

I saw some prompts about birdhouse, re-did the enrollment, and badly enough (I think i dug my own hole with this one) it asked to remove the other 2FA option (SMS), to which I clicked yes.

This might sound bad but I sincerely hope X fixes it somehow, and all the keys enrolled/re-(re-[etc])-enrolled are not lost, especially those that were not added today. It might be a good idea (in practice, bad for security) to disable this new "https://x.com/account/access?flow=two-factor-security-key-po..." garbage fully, as I don't see myself contacting X support anytime soon(for obvious reasons).

Glad to hear I'm not alone. Just made an account on this website to type this lol.

The twitter login loops are somehow WORSE than the Microsoft login page, which is crazy to believe. I have tried to save the passkey using Bitwarden and that also doesn't work, they clearly broke something.

Prompted a couple of times only on the mobile device. I have a YibiKey 4 so it's inconvenient to do it with a USB-C to USB-A adapter. Ignored it for a while and eventually I wasn't able to use X without "re-enroll".

So I did it on a laptop. The process seemed legit, the entire flow was weird and not intuitive, I had to stop and read twice before proceeding (e.g. "Where to store passkey", disable all other MFA ans only use Security Key, a backup recovery code was given...). After going through all that, find myself locked out of X because of the infinite re-enroll loop, OMG.

Contacted support, let's see how long it takes. After this, I don't think I'll continue to use Security Key with X...

Same for me. I've seen many people being back to normal though.

I re-enrolled on mobile using a Yubikey NFC with the iOS app back in October when prompted.

Force logged-out today from a session on Desktop Chrome. Stuck in the loop. Force logged-out on iOS app.

Burnt recovery code in further attempts.

Tried again when support asked me to by email. Got a "suspicious login attempt prevented" message. That's 2 hours ago. Silence from support since.

Tried again, back to the loop (the "suspicious login attempt" message is gone), but I'm still not able to re-enroll the key.

Anyone can describe their setup that managed to login again?

Same here, I've re-enrolled my Yubikeys 3 times so far, to the point that trying a full re-login asks "what do you want to use for 2FA?" and the list is 6+ generic named "Security Key".

Same here - simply cannot fix it, and it's somewhat annoying that it talks about Yubikeys when I'm only using on-device security keys instead. Must be very confusing for many others!

Yeah same for me, re-registering the Passkey in Bitwarden worked but it just loops after that with the same message. "Testing in prod" I guess.

EDIT: they fixed it now

This fixes it for me: - Open incognito - Go to https://x.com/settings/security_and_account_access - Log in, somehow this won't trigger that re-enroll loop - Disable two-factor auth in the settings - Log back in your regular browser tab

Oh wow, here's the thread I was looking for.

I'm stuck in the same loop and effectively locked out of my account. I wanted to complain about this on X and of course I can't do that. I also wanted to see if I was the only one affected or it was more widespread, but of course being logged out it's impossible.

Thankfully there's still HN :)

Grok says they are reverting the changes now, should be fixed soon. Funny I can still get in to Gork.

Woke up thinking this was a bug with my device. Then I saw the email code thing, and figured I had misconfigured my domain DNS or forgotten to renew it. Who would've thought it was just x.com being x.com. Hopefully they fix it soon, this is ridiculous.

Got here after finding myself stuck in that exact loop (which initially I assumed was a phishing attempt from a webview ad link I thought I accidentally clicked).

Looks like some users who have never used or heard of Yubikey report being locked out and stuck in the same loop.

The post is gaining traction as more than a dozen users, including me, report the same issue.

"Get a YubiKey," they said. "It'll be fun!," they said.

Grrrrr.....stuck like Chuck.

Kind of crazy this made it into production, one would think the geniuses at the everything app would be using security keys themselves and would have more interest than usual in making sure the enrollment process is flawless...

My account seems to be back, I didn't do anything. Just went to X and now it loads.

Now to see what configuration is set for 2fa on my account...

Looks like my traditional 2fa method was removed and only the security key is left.

I don't even know what a Yubikey is and I'm stuck in this loop

I've been trying to re-enroll mine when they prompted me previously and it didn't work then, I have no idea why they decided to force it when enrollment wasn't working already.

Stuck in this loop also. Even re-enrolling with different Yubikeys didn't seem to solve this. It's persisting across different devices as well, happening both on iOS and on desktop.