Thanks. Interesting to note Google's take on OAuth usability issues.

Risk based security: Some applications use more fine grained controls to decide when to force a user to re-authenticate. The most common is that if a user wants to change their password, they usually have to re-authenticate as part of that process using their old password.

Any idea what the session length is with Twitter's OAuth?