Is there a reason you guys don't like the honeypot technique that Mouse Catcher pointed out?
I like honeypots, and timers go nicely with them so long as they're not stupid on both ends: that is, if I must hit refresh and submit within a second of each other, don't also assume I'm a bot. That one hits me when someone's site has some other timeout that forces me to refresh to submit. Dumb dumb.
I don't care for 2-factor in something like submitting comments. I do like it with something like banking. Unfortunately mobile phones are slowly becoming the main method, which requires possession of a smart phone. Anyone who demands this of me had better go buy me one.
I saw a demo of Google's 2-factor auth at the Perl conference, and I didn't really like it much: it used UTC as a salt, which is never guaranteed to be the same between any two devices (unless you can sync them first... funny thing, time: it'll differ in your altitude and geopolitically there's all these little spots where crap doesn't match up like it should...), and the devices doing your auth need to get the secret from the server (shared secret). Transmitting that secret had some problems for users, and had several places for intrusion. Meh.
My bank uses 2-factor auth (or 3? card, card reader and PIN) but instead of trying to get a shared secret onto a device of your choice, you instead get the device straight from the bank. They seem to have batteries inside that you can't change yourself, so you can ask for multiples of these things and they're interchangeable. They consist of a card reader and a random number generator. Dunno how random is random, but the display is limited in the number of characters it can show... 12 or 14 I think.
Ralph was referring to the post above him, who did not expressly mention something non-intrusive like honeypots.
BTW, login forms for anything a user considers throwaway is indeed a discouragement (though discouragement is perhaps exactly what you want, if for example you're trying to discourage trolls and throwaways from posting comments somewhere). Fewer people post comments/do a free trial/whatever where they must first log in. Luke W has shown in data users are quicker to abandon "free software" tryouts if registration, login or other mentally-taxing chores are required first. When users believe it matters (like banking, or posting on a personal account like a social media platform), users consider logging in to be worthwhile, and are more likely to go through with it.
I only agree with the first part of that comment. Passwords don't tell humans from machines. They authorise users, who at times may be machines. For example, our search engine logs into (our) things using a password (and a username). It is a legitimate user. It is not human. It is authorised, however.
Every time those aren't true, it fails.
So I'm practically cheering advances in robots reading and describing images, if only to stop the worst of CAPTCHAs, the image CAPTCHAs. As someone math-inhibited though, I do worry those would take over at that point.