TL;DR: Invisible proof of work can make bot abuse economically expensive while preserving user experience, according to Arkose Labs, which cites outcomes including an 85% false positive reduction versus CAPTCHA-only approaches and a 95% completion rate for users. The security question is no longer just detection quality, but whether identity controls can impose cost on automated abuse before account compromise begins.
NHIMG editorial — based on content published by Arkose Labs: Bot Detection Beyond CAPTCHA: Proof of Work Is Invisible Economic Barrier Against Sophisticated Threats
By the numbers:
- 85% false positive reduction compared to CAPTCHA-only solutions
- 95% completion rates versus 70% for visual challenges
- 80% reduction in successful bot attacks while maintaining user experience standards
Questions worth separating out
Q: How should security teams use proof of work against credential stuffing?
A: Use proof of work at the point where automated attempts become expensive, especially on login and password reset flows.
Q: When does proof of work reduce risk without creating too much friction?
A: It works best when the business loss comes from high-volume abuse and the challenge can run invisibly in the background.
Q: How do teams know if proof of work is actually working?
A: Look for a drop in successful automated attempts, a stable or improved completion rate for genuine users, and evidence that attacker infrastructure is spending more time per request.
Practitioner guidance
- Apply proof of work to high-risk entry points Use computational challenges on login, registration, password reset, and transactional flows where credential stuffing or account creation abuse creates measurable loss.
- Tune challenge difficulty by device and risk Set lower friction for low-power consumer devices and higher difficulty for automation-like behaviour, datacenter signals, or repeated failed attempts.
- Treat challenge telemetry as security data Send solve time, latency, and device classification signals into fraud, bot, and account security analytics so the control contributes to detection and campaign correlation instead of acting only as a gate.
What's in the full article
Arkose Labs' full analysis covers the operational detail this post intentionally leaves for the source:
- The article’s full implementation flow for proof of work challenge generation, solve, and verification
- More detail on device classification, difficulty levels, and configuration choices for different traffic types
- The performance figures and deployment examples behind login protection, registration abuse, and gaming use cases
👉 Read Arkose Labs' analysis of proof of work for bot defence →
Bot defense beyond CAPTCHA: what proof of work changes for IAM?
Explore further
Proof of work is a cost-shifting control, not a trust control. It does not prove that a user is legitimate in the identity sense. It makes high-volume automation more expensive and therefore less attractive, which is useful when the attacker’s advantage comes from scale rather than stealth. For IAM teams, the important point is that cost asymmetry can reduce abuse even when detection lags. The practitioner implication is to treat proof of work as one layer in account security, not as a substitute for identity assurance.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly delegated access can outgrow oversight.
A question worth separating out:
Q: Who should own proof of work controls in an identity programme?
A: Ownership usually sits across IAM, fraud, and security operations because the control affects access, abuse prevention, and behavioural telemetry at the same time. If no team owns the policy, challenge tuning, and measurement together, the control becomes either too weak to matter or too disruptive to keep.
👉 Read our full editorial: Proof of work raises the cost of bot attacks beyond CAPTCHA