It's absolutely possible to automate an "attested" phone with a physical robot finger, which is neither extremely complicated or expensive tech. It might be too expensive for mass-scale DDOS, but it would still be cost-effective for more interesting things like click fraud.