I already know this is not a duplicate.
The input boxes could be like:
Username: (username)
Country: (select country)
Phone number: (country code) (enter a number)
(Sorry no screenshots!)
Then, once entered, you may see:
Enter the code sent to the mobile phone number ending in **
(put a six-digit code here)
Write down these backup codes as well. You need them in case your phone is lost!
******
******
******
******
(x10, not 4)
When logging in from an unrecognized device:
After entering username and password:
Enter one of the backup codes you wrote down or the code sent to the mobile phone number ending in **
If you don't have any of these, please contact us.

Why a phone number?

In case you don't have access to your email. Also the setting can be optional.

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

What is a phone number email?

45afc4td wrote:

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

What is a phone number email?

…
He meant it like this: “phone number and email (if you have one)”.

45afc4td wrote:

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

What is a phone number email?

There is no such thing as a phone-numbered email. Also, you answered the wrong question; 45afc4td asked: Who has a phone number but not an email?
Edit: I knew the most recent response was by WindOctahedron before my first reply on this topic, but I didn't know it's for the same question.

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

Maybe censor out every digit except the last two?
Ugh, the 60-second rule gets annoying!

45afc4td wrote:

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

What is a phone number email?

Sorry, I clicked the wrong code thing. I meant "and".

kChiaEC19 wrote:

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

Maybe censor out every digit except the last two?
Ugh, the 60-second rule gets annoying!

Guessing two digits is easy. That's only 18 combinations.

-Iimitless- wrote:

Guessing two digits is easy. That's only 18 combinations.

Classic mistake - that's assuming that there's a way to independently verify each digit, and you're also forgetting about 0.

Assuming there is no way to independently verify both digits - both much be guessed at once (there's two digits, let's call this n), and there's 10 (let's call this p) positions for each digit, then the number of combinations is pⁿ - in this case, it would be 10² = 100 combinations.

-Iimitless- wrote:

45afc4td wrote:

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

What is a phone number email?

Sorry, I clicked the wrong code thing. I meant "and".

kChiaEC19 wrote:

Dragonlord767 wrote:

Who has a phone number but not an email?

Anyway, what if your password is guessed, and now some random can get your phone number
and email. Someone having your email is bad enough.

Maybe censor out every digit except the last two?
Ugh, the 60-second rule gets annoying!

Guessing two digits is easy. That's only 18 combinations.

• I think you mean 100 or 99, not 18.
  
• What I mean by “censoring out every digit but the last two” is not letting someone else see your full phone number if they log in to your account but keeping it privately in Scratch's servers. This way, if you have to text or call support (if Scratch supports it), it will have to verify the full phone number (not just the last two digits) with the account name in order for you to get your account back.
  

I think I should also add to the suggestion that the first part of the email address before the @ (and also the last part before the dot if not from a popular email provider domain that the Scratch Team manually added to their list of common providers like gmail.com or outlook.com) should also be censored out. You may also need to provide the full current phone number if you need to update it.
For example, let's say someone set a phone number in their account settings and typed 2601345789 (not my phone number, so please don't try to call; I won't be able to pick it up if you do) and selected the country United States. It would automatically be interpreted as +1 (260) 134-5789. However, in the account settings, it would show as +1 (***) ***-**89. Then, if you have to change the phone number, a hacker may not be able to determine the associated phone number with the account, and so may not be able to provide the phone number stored (+1 (260) 134-5789) correctly to be able to change it.
As for the email part of the suggestion, they could show the email associated with my account (the actual email) as ****@************.ca, or for an email address that ends in something popular like live.com, they could show ****.***@live.com (this is just an example) instead of john.doe@live.com. If it's not a popular company, a hacker can see (without that list that I mentioned in the last paragraph) the whole domain and look up email addresses in that domain and spam each of them with spam emails.
Edit: I didn't realize that @Flowermanvista submitted the noticing of the first mistake before I did.

no support. scratch is for people with young ages, some don't have phones. (unless parents)‮

Boomer001 wrote:

no support. scratch is for people with young ages, some don't have phones. (unless parents)‮

He said,

kChiaEC19 wrote:

Also the setting can be optional.

We don't collect phone numbers because it would be illegal to collect phone numbers on a website primarily used by kids. Sorry, but I will need to close this thread because it is a rejected (and illegal) suggestion.