Trust tokens (WICG explainer, web.dev, spec, tutorial) are a new web API (a part of Google's privacy sandbox initiative) that lets the browser determine whether the user can be trusted (ie. not a spammer or similar bad actor), without the browser and the website exchanging private information. Instead, the browser transmits attestations (trust tokens) from issuers (such as Google) which apply whatever invasive tracking they would apply anyway to distinguish humans from spambots, to publishers (such as Wikipedia) with a cryptographic protocol that ensures the issuer and the publisher don’t learn about each other’s identity or the user’s identity on the other one’s website.
Given Wikimedia's deeply disfunctional current antispam system (see T241921: Fix Wikimedia captchas), we should look into this option. While - based on past discussions - there might be some community concerns around pressuring users to opt into invasive tracking by creating a more pleasant registration experience for them if they do, and creating a bias against those who don’t, on the net this still seems like a great replacement for captchas. For users with trust tokens enabled (currently a random 10% of Chrome users, in the future maybe most users) the antispam verification process would be completely invisible; for others we’d fall back to the current captchas.
Trust tokens are currently supported in Chrome in origin trial mode, with full release expected in May. We should run a controlled experiment to see how well they filter spambots in practice.