• I make websites
• If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
• I’m okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
• I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
• but spam (automated account creation) is a real problem

What kind of auth should I use for my websites?