An excerpt from an email I wrote on the Twitter Dev Group:

“But the real problem is for mobile devices, especially for devices that don’t have Copy and Paste functions (like the iPhone, up until recently). Twitter doesn’t have a login page for OAuth that really is made for mobile phones, so the user has to perform extra actions (zooming, panning, etc.) to be able to login. The PIN method of verification doesn’t work well for phones that don’t have Copy and Paste (like pre-3.0 iPhone, if you plan on supporting that), but then neither does the Browser option work, because you can’t really launch an app from a URL (with the exception of the iPhone, but Twitter doesn’t allow non-standard URL schemes).

OAuth on mobile devices doesn’t work. Let’s go back to the iPhone (which I use as an example because I am a developer for it). You can’t be contaminated with viruses, you can’t get malware, and you can’t get spyware. The only way you can get software at all (“legally”) is to get it from Apple, through the App Store, and Apple already does filtering, and strips out malicious apps. Since the App Store is the only medium to get apps, you have to want and then go download them. There is no third-party here putting malicious code on your device, and stealing your credentials. There is only the users, who wants to use your app, downloads it, and then is asked if wants to allow this app to access Twitter. If he doesn’t want to let it access Twitter, why the heck did the user download the app in the first place?

Sure, I chose the iPhone, but from what I understand, other phones have app stores of their own: Android has their Marketplace, Blackberry has one, Palm will soon get one if they don’t already have one. People want to use Twitter on these devices, even full clients. But trying to login to OAuth on that tiny screen, with a PIN that you may or may not be able to copy and paste (depending on your device capabilities), is just a big hassle.

For my Twitter client, I’ve gone ahead and done all the OAuth authentication behind the scenes. I’ll ask them for a username and password, and log them into OAuh myself without them having to ever see a web browser. “Wait! You shouldn’t do that!” Whatever! I’m selling this Twitter client on the App Store for two dollars. If a user doesn’t want to let my app access Twitter, why is he wasting two bucks to download an app he will not use? It does not make sense!

I understand that OAuth is implemented to give the user an extra net of security, but I’m not sure that the OAuth system is the best one to use. What would be best is a system that can be used on any platform, with any device, mobile or desktop. Modifying the login to do something different for mobile clients, like a different way of authenticating (such as choosing a picture. Show a picture in the web browser, send possible images to the client, then have the user choose the correct picture they saw), would be fantastic! At the very least, mobile versions of OAuth login and authentication should be implemented.”