Authy (who make consumer and enterprise products for multi-factor authentication) offered their two cents on Twitter’s latest implementation, which works by having you acknowledge login attempts on your iPhone or Android phone. Twitter will show you things like the browser and a general location so you can verify that you’re the one making the attempt, but Authy says this isn’t that secure in practice.
In fact, we publically tested this about a year ago and realized that showing the IP, location, browser or any other data wasn’t enough for people to determine if they should or not authorize a request. Further this data is easy to spoof (like location), so if the attacker is familiar with the user, he can easily select “good” values to further trick the user into authorizing the request. TOTP might seem like a hassle, but the user knows exactly where he is typing the token and the whole Authentication flow happens right in front of him.
TOTP stands for “Time-based One-time Password.” If you have Google Authenticator, you’re already familiar with the concept: the mobile app spits out a randomly generated number that you then enter on your computer. It’s is what you’ll find sites like Amazon, Dropbox, and Google using if you decide to enable multi-factor authentication for those accounts.