Yep! As the author alluded to elsewhere in the comments, if you want to make _really sure_ that the user is a person in a browser instead of a rogue malware process on their machine you can combine this with a yubikey tap or webauthn attestation step.