[avidiax]

It doesn't mean that they store in cleartext, but they may as well.

They can generate the phone password on the client side and send both passwords to be salted, hashed, and stored separately.

That much seems OK.

But the salted+hashed phone password is incredibly weak. It can be brute forced readily unless it is very long.

From the brute forced phone password, the regular password can be brute forced as well, since the digits of the phone password tremendously constrain the characters of the regular password.

It's very much like the Hollywood hacking where the hackers progressively lock digits of your password and eventually discover the whole thing.