These trivial mitigations at least filter out low-effort script kiddies. People gaming the system “for real” will put incredible effort into getting around your countermeasures. You always have to be one step ahead of them.
It may be “trivial” to someone with a high level of expertise. But the number of moving parts required in that automation does add a significant barrier to most the of “script kiddies” that are using bots.
You still need to automate account creation and setting up of a TOTP token, that’s not “easy” for a lot of people.
Low device limit per phone number/payment card, with the standard checks for VOIP would probably make things painful enough for most. Heck, outsource the bot checking and require a Facebook/Gmail/Apple/Twitter/whatever login. Intrusive as heck, but it works relatively well since those companies have already whacked a million moles.
These trivial mitigations at least filter out low-effort script kiddies. People gaming the system “for real” will put incredible effort into getting around your countermeasures. You always have to be one step ahead of them.