If only used at twitter, this is useless. They went through the effort and security risk to develop a custom protocol that doesn't involve shared secrets. Good for them. But if your shared secret only allows access to Twitter and is only stored on Twitters servers, its compromise probably entails their severs getting owned. In which case, the authentication schemes don't matter.
Where this is somewhat more useful, however, is if you want to provide third party systems with two factor auth and not store a secret per user/service pair. Then twitter's severs being compromised and revealing the shared secret might expose other services. Of course, given how small HTOP/TTOP secrets are, I don't think thats much of a problem.
Note, the usability issue is orthogonal to the protocol. You could easily make an app that does TTOP/HTOP but has the response codes sent by the app with confirmation instead of being entered into login prompt manually, just as you could manually have people enter response for the twitter auth challenge.
The next step, IMO, should be for Twitter to extend this to let third party websites and apps authenticate using Twitter's new protocol. Ultimately could be worth more than Twitter's core business. Essentially Facebook Connect done right, in a privacy-protecting way, with higher security.
do you remember only about 4 months ago a fake tweet on associated press twitter account about the whitehouse being bombed caused a stock market flash crash of nearly 1% which is over 100 billion dollars in the matter of 10 seconds or so???
thats why twitter HAS to provide robust security for the high credibility accounts or watch those accounts be closed down. anything else is great but thats the REAL driving force is to secure the 140 characters
Where this is somewhat more useful, however, is if you want to provide third party systems with two factor auth and not store a secret per user/service pair. Then twitter's severs being compromised and revealing the shared secret might expose other services. Of course, given how small HTOP/TTOP secrets are, I don't think thats much of a problem.
Note, the usability issue is orthogonal to the protocol. You could easily make an app that does TTOP/HTOP but has the response codes sent by the app with confirmation instead of being entered into login prompt manually, just as you could manually have people enter response for the twitter auth challenge.