Ricky Mondello

You may have heard that “X”, “the everything app”, is making users re-enroll their passkeys so they have passkeys that are saved for x.com instead of twitter.com.

Something that all of y’all should know is that, although passkeys are bound to an origin, passkeys *are* usable across origins (specific limitations apply). By adopting [Related Origin Requests](https://passkeys.dev/docs/advanced/related-origins/), the X app and website could make use of twitter.com passkeys. (Adopters of Related Origin Requests in production include Amazon, Microsoft, and Ticketmaster.)

Forcing users to re-enroll their credentials is categorically technically unnecessary, unless their goal was to ensure users never see “twitter.com” in password manager UI. Hypothetically, if I had to execute on *that* goal, I wouldn’t set a deadline by which I’d stop accepting twitter.com passkeys, because that’s an inconvenience for users that can turn into a self-inflicted downgrade attack of sorts.

Related Origin Requests

The Related Origin Requests (ROR) feature allows an RP to enable a passkey to be created and used across a limited set of related origins.

passkeys.dev
Oct 31 at 10:59pmWeb
Show threadtimOct 31
@rmondello another resource on Related Origins: https://passkeys.dev/docs/advanced/related-origins/
Related Origin Requests

The Related Origin Requests (ROR) feature allows an RP to enable a passkey to be created and used across a limited set of related origins.

passkeys.dev
Show threadRicky MondelloNov 1

@timcappalli When I wrote this post, I missed that the passkeys.dev piece mentioned the specifics of the limit. I’ve updated my post to use this reference instead. :)

[Was going to reach out about the omission I thought was present.]

Show threadNina "Erina" Satragno 💫Oct 31

@rmondello I love to dunk on xitter as much as everyone else but branding *is* important. Why don't we show the origin instead of the RPID? Then they could do something like you suggested for username first authentication.

We are missing a solution for usernameless/conditional mediation too. Might be a good point of discussion at TPAC.

Edit: fix the stroke I was having

Show threadRicky MondelloNov 1

@nsa Branding *is* important, yes. Is it so important that it requires shutting off access to a phishing-resistant authentication mechanism for users who aren’t super online and proactive? I am arguing “No.”.

I am not saying there isn’t more to be done to support rebrands. :)

Show threadAhnaf MahmudOct 31
@rmondello I'm seeing new installations of iOS 26.1 still has Twitter as one of the default Safari bookmarks instead of X. Is this Apple's way of boycotting against the rebrand?
Show threadtaylor Nov 10
@ahnafm @rmondello i think it's more likely nobody bothered to change it
Show threadArianOct 31
@rmondello losing my passkey to what used to be known as twitter.com sounds amazing. Can I get early access