The disadvantage of Twitter's approach, though, is that it requires the thing that holds the private key to connect to the internet to verify the request. This increases the attack surface (and is potentially a pain if your phone doesn't have internet access, for example if you have no mobile reception but want to use the Twitter web site on a PC with a wired connection). I've been wondering if it's possible to have an offline system like TOTP that uses a private key rather than a shared secret.

EDIT: Also it's a pain when Twitter's main web site is working but the bit that handles responding to approvals from the mobile client isn't, like, erm, right now.