Bot defense beyond CAPTCHA: what proof of work changes for IAM

TL;DR: Invisible proof of work can make bot abuse economically expensive while preserving user experience, according to Arkose Labs, which cites outcomes including an 85% false positive reduction versus CAPTCHA-only approaches and a 95% completion rate for users. The security question is no longer just detection quality, but whether identity controls can impose cost on automated abuse before account compromise begins.

NHIMG editorial — based on content published by Arkose Labs: Bot Detection Beyond CAPTCHA: Proof of Work Is Invisible Economic Barrier Against Sophisticated Threats

By the numbers:

• 85% false positive reduction compared to CAPTCHA-only solutions
• 95% completion rates versus 70% for visual challenges
• 80% reduction in successful bot attacks while maintaining user experience standards

Questions worth separating out

Q: How should security teams use proof of work against credential stuffing?

A: Use proof of work at the point where automated attempts become expensive, especially on login and password reset flows.

Q: When does proof of work reduce risk without creating too much friction?

A: It works best when the business loss comes from high-volume abuse and the challenge can run invisibly in the background.

Q: How do teams know if proof of work is actually working?

A: Look for a drop in successful automated attempts, a stable or improved completion rate for genuine users, and evidence that attacker infrastructure is spending more time per request.

Practitioner guidance

• Apply proof of work to high-risk entry points Use computational challenges on login, registration, password reset, and transactional flows where credential stuffing or account creation abuse creates measurable loss.
• Tune challenge difficulty by device and risk Set lower friction for low-power consumer devices and higher difficulty for automation-like behaviour, datacenter signals, or repeated failed attempts.
• Treat challenge telemetry as security data Send solve time, latency, and device classification signals into fraud, bot, and account security analytics so the control contributes to detection and campaign correlation instead of acting only as a gate.

What's in the full article

Arkose Labs' full analysis covers the operational detail this post intentionally leaves for the source:

• The article’s full implementation flow for proof of work challenge generation, solve, and verification
• More detail on device classification, difficulty levels, and configuration choices for different traffic types
• The performance figures and deployment examples behind login protection, registration abuse, and gaming use cases

👉 Read Arkose Labs' analysis of proof of work for bot defence →

Bot defense beyond CAPTCHA: what proof of work changes for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →