So, experimentally, I've discovered that this makes Twitter accounts subject to DOS attacks. Codes are taking ~70 seconds to arrive right now for me. If I have your username and password, I can just keep logging in with them and having it generate new codes, which invalidates any previous codes. As long as I keep attempting to log in, you will be prevented from logging in since the latency to receive the SMS code is greater than the time it takes me to attempt another login, thereby invalidating the code that will be received.
Wow.
This also means that I can either a) flood you with text messages, or b) trip some threshold that will prevent Twitter from sending you text messages. In either case, a clever attacker who has the username and password could use this to cause a lot of grief for an account holder.
(This is, by the way, yet another argument for device-based TOTP.)
But, this grief is still less than the grief if they'd go through if they didn't have Two Factor Authentication enabled, no? Yes, DOSing and SMS spam sucks, but not nearly as much as having your account successfully hijacked.
Wow.
This also means that I can either a) flood you with text messages, or b) trip some threshold that will prevent Twitter from sending you text messages. In either case, a clever attacker who has the username and password could use this to cause a lot of grief for an account holder.
(This is, by the way, yet another argument for device-based TOTP.)