I was eager to read more about Digits, Twitter’s text message based one-time passcode service, when the message popped up in my inbox. Because with one-time passwords identity theft or password phishing are things of the past. And with Twitter another global player besides Microsoft and Google jumps onboard the anti-password campaign.

Twitter provides the development platform and messaging infrastructure that allows app developers to waive passwords. Users could use their mobile number as the first authentication factor and the one-time passcode provided by an SMS as second authentication factor for login to a service.

The good news is: The service is free of charge and, since Twitter uses its own trusted infrastructure, the service will be available in 191 countries with support for 28 languages from the start.

Sound’s really good.

But not everything that glitters is gold. Man-in-the-middle attacks could become as serious issue as well as tampering of mobile phone numbers. Hopefully Twitter has developed a threat model for the new service and mitigated at least the known the vulnerabilities.

A new era of IT security is downing …