This is an interesting way to get people who use non-official Twitter mobile clients to install the official client again.
On a serious note, it sounds like they are seriously engineering this so that even someone who has gained access to Twitter's servers cannot access the user secrets:
We chose a design that is resilient to a compromise of the server-side data’s confidentiality: Twitter doesn’t persistently store secrets, and the private key material needed for approving login requests never leaves your phone.
But if someone has gained access to Twitter's servers, isn't this nuance a bit moot? Presumably if I've gained access to their servers then I can also find a way to tweet as someone else or approve their OAuth requests somehow.
If you have live server access yes (you can do whatever you want at that point). But if you just have a data breach then no. A data breach of the public keys wouldn't require them to reset two-factor auth for the impacted users. An attacker would need each user's private keys to authorize login attempts and Twitter doesn't store that anywhere so it can't be breached en masse from them.
On a serious note, it sounds like they are seriously engineering this so that even someone who has gained access to Twitter's servers cannot access the user secrets:
We chose a design that is resilient to a compromise of the server-side data’s confidentiality: Twitter doesn’t persistently store secrets, and the private key material needed for approving login requests never leaves your phone.
But if someone has gained access to Twitter's servers, isn't this nuance a bit moot? Presumably if I've gained access to their servers then I can also find a way to tweet as someone else or approve their OAuth requests somehow.