WCAG AAA actually mentions that. Which includes things like OTP. It’s going to be tricky to balance security with accessibility in situations like this for those with cognitive and physical limitations
OTP is a success criteria instead of captchas but then you have issues with accessibility when you require somebody to have a device like a phone for the code or require them to app/context switch. So somebody using a device using their eyes or tongue as an input trigger would have a hard, if not impossible, time logging in with that arrangement.