I'm not sure I'm a fan of this scheme. While it seems to solve Twitter's problems for the time being, it gives an incredible amount of power to the person who has your phone — which may not be you. Being able to authorize a new login without any kind of authentication on the administrative side (as managed by the Twitter client on your phone) means that anyone in possession of your phone is in charge of your account.
You leave your phone sitting around and someone else grabs it? That person can easily authorize a new, permanent login, and you probably won't even realize it.
If you're going to go as far as a second factor like this, why not authenticate the approval?
You leave your phone sitting around and someone else grabs it? That person can easily authorize a new, permanent login, and you probably won't even realize it.
If you're going to go as far as a second factor like this, why not authenticate the approval?
edit: verbiage and clarity