where I think about authentication

Tokens or passwords - which are more important?

Revoke tokens eg. for lost devices or forgotten authentications on your friends' devices (like you can do on Twitter now)? Or reset the password when you’re authenticated with a token in, say, an iPhone client app and some attacker changed your password and email and security question/answer and you don’t have any browser sessions?

You can’t allow both. If you just add password changing and browser session destroying to the API, that would only help against a stupid attacker who doesn’t know how to revoke OAuth tokens.

Maybe two-factor auth would work. Services like Twitter don’t use these things because only really paranoid people would want to use a one-time verification code sent by SMS (or a Google Authenticator-ish thing) to sign in to such services. People use it for Gmail because it contains a lot of private stuff, but social networks, especially Twitter are mostly about public stuff.

But what if they added two-factor auth to changing the password (also phone number, email) and revoking tokens? That sounds like a great idea because it’s not annoying: you only need a password to sign in, but you need to confirm it’s you when you want to change your password or revoke an OAuth token.