Did you update to version 5.9 of Twitter for iOS, released 8/6, featuring support for login verification? Maybe the notification should mention that requirement.
Or don't send a notification to that deviceToken until the user has installed the new version of the app and sync'd at least once. (Letting the server know the deviceToken points at the newer version of the app.)
Yep.. As I said, I can see the "Login Requests" page for that account and it says "No Pending Login Requests".. Plus I had to use the iOS app to set up and enable two-factor auth in the first place.