[brod]

This was a problem before Twitter allowed 2FA via SMS, so I'd argue this is very much a Twitter problem.

Afaict this all stems from mixing verification with authentication, where verification may be required when creating an account and authentication (and possibly more verification) when using the account.

[brod]

And even more simply, verifying the user is a "real person" in contrast to verifying the user is the "right person".

[nialv7]

How does that help? Surely the attacker is a real person too.