2. Replace the manual PIN entry requirement with something else. The OAuth 1.0a designers greatly under-estimated the poor usability of manual PIN entry, especially on mobile devices. One suggestion off the top of my head: allow OAuth 1.0 (in addition to OAuth 1.0a) if--and only if--all parts of the OAuth authorization flow take place in the same TLS session (e.g. using TLS session resumption and/or a persistent HTTPS connection when/if Twitter supports persistent connections) and the application is registered as a desktop app (not a web app). Raffi Krikorian wrote: hey fabien (and the rest of the list). what do you think we could do to improve this for all of you?