[ponkpanda]

Perhaps requiring webauthn credential for any post/comment with a whitelist of permitted webauthn hardware devices which must have touch/interaction enabled.

I'd have to read the FIDO specs, however the only place I've seen webauthn hardware pinning in the wild is with Azure AD/Entra which is ostensibly based on token GUID. If this is the only enforcement mechanism available, it's spoofable.

[nkrisc]

Then you’ll end up with a forum of only bots because they’ll spoof it and real people won’t put up with the hassle.

[tialaramex]

FIDO tokens are designed to able (if authorized by the software, your web browser typically offers a pop-up where you can decline this) to prove their membership of a batch of tokens, but not their individual identity.

The Entra feature you thinking of lets somebody say "Only things which can prove they're in this list work". This could make sense if you, as their employer, issue every employee a custom DoodadCorp Doodad FIDO key and so you don't want somebody's Yubikey or off-brand generic device to work. It's stupid and you shouldn't do it in other scenarios, but your "this is how we detect humans" idea is arguably a scenario where that could make sense.

[Edited to add: This feature is called "Attestation"]

[wbl]

Doesn't actually work that well. Browsers hate this, the hardware isn't actually difficult for bots to access, and privacy story is bad. There are solutions being worked on.

[layer8]

This would result in hardware farms of such devices being automatically operated, like the existing iPhone farms used for similar purposes.