Hi Adam,

Let's say you legitimately use OAuth with, say, Dabr on your home PC.
You then go to work and use OAuth with Dabr on your work Mac.
Same site, different computers and IP addresses - but no difference in functionality. You just get the OAuth prompt. This is the way it is supposed to work, you may want to be logged in from multiple locations.

I think Twitter showing how many tokens you've authorised for each service may be a better idea than what they do currently. That way, you could revoke the token for a malicious user without having to revoke all of your tokens for a specific site.

It's a knotty usability problem, that's for sure.