No, it's fundamentally different - but I haven't explained myself well.... Take the following user journey. Abraham visits Example.com - which promises to be the best Twitter client ever. He types in his username and presses enter. (In the background, Example.com passes the username & a secret token to Twitter. Twitter checks that the IP of the request matches the token (much like OAuth). Twitter sends back Abraham's pre-arranged secret and asks for the 3rd, 4th and last character from his password). Example.com displays "Your secret Twitter pass phrase is 'Moscow geese fly south for winter'. Please type the 3rd, 4th & last character of your password." Abraham is satisfied that Twitter thinks this site is genuine. He types in "ssd" Example.com passes that to Twitter and - if satisfactory - gets back an OAuth token. So, Abraham doesn't have to remember anything more complicated than his username and password - like now. He doesn't have to expose his entire password to Example.com. If he's stuck in the Duchy of Grand Fenwick - a repressive regime - he doesn't need to visit Twitter.com to authenticate himself. He is also immune to phishing because his pre-arranged secret (which he can change & is independent to his password) can only be retrieved by a trustworthy site. Does that make a bit more sense?