[jlmorton]

While I agree that Twitter's mechanism addresses the vast majority of potential attacks against a person's Twitter account (which would almost always be remote), it's not hard to imagine a scenario like Authy describes.

Imagine you're at work, logging in to a two-factor system. Now imagine your attacker is sitting 15 feet away from you. All the attacker needs to do is wait for you to attempt to login to the system before attempting to login himself.

When we have penetration tests run against us, this is exactly what is happening. We give the penetration tester a desk, a connection to the internal corporate network, and the same bare level of access we would give to a temporary contract employee.

[DaveMebs]

And if you see multiple requests on your phone, you know it's an attack and you should reject both. The criticism is basically "someone might see a bunch of requests and, not knowing which is theirs, approve them all." If someone is that foolish, you're already in trouble.

[abalone]

I agree except for the part about not caring about foolish users.

For me, it is more about asking yourself what approach will increase the overall security of a system. User adoption is a critical consideration. That is where Twitter's approach shines. It's something that is super easy to adopt, no numbers to type in, which means literally millions more users may adopt it. Authy is undervaluing that consideration.

Yes, this is vulnerable to a) foolish users who approve duplicate requests and b) have an attacker looking over their shoulder.

Pretty good tradeoff IMHO.