So Twitter announced yesterday that they have now enabled optional two-factor authentication. "Great!" you may think, but think again... it seems Twitter has gone their own way and made it a right PITA to use. Ars Technica summarise it nicely...
Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign into Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, then you can only secure a single account.
There are some additional limitations to Twitter's scheme. Other mobile devices and applications (such as HootSuite and TweetDeck) will have to be configured individually as they're added, using a temporary password generated through Twitter's applications page to be authorized on first login. Unlike the RFC 6238 scheme used by Google, Facebook, and Microsoft, there's no way to use standard, generic authentication apps to generate time-based, one-time passwords. So if you can't get the SMS, you're out of luck. And unlike those systems, there's no facility to create persistent application-specific passwords.
— Twitter launches two-factor authentication, too late to save The Onion | Ars Technica
Whilst enabling two-factor authentication is a great idea, I think their implementation may put off quite a few people. We'll see.