Use proof of work at the point where automated attempts become expensive, especially on login and password reset flows. The goal is to force each attempt to consume attacker compute while keeping verification cheap for the server. Measure success by reduced automated success rates, not just by how many challenges were issued.
Why This Matters for Security Teams
Proof of work is most useful when credential stuffing is treated as an economic attack, not just a nuisance. The control should make each automated guess costly enough to slow large-scale abuse while preserving a cheap verification path for the service. That matters because stuffing is often distributed, adaptive, and fast enough to bypass simple rate limits, especially when attackers reuse leaked credentials across login and password reset flows.
For security teams, the real objective is not challenge volume. It is reducing the return on automation without degrading legitimate users or creating a new denial-of-service lever. Current guidance suggests pairing proof of work with signal-based detection, bot scoring, and step-up controls rather than using it as a standalone gate. The OWASP Non-Human Identity Top 10 is a useful reminder that automation abuse often thrives where controls are either too static or too expensive to operate at scale.
NHIMG research on the Secret Sprawl Challenge shows why attackers continue to find valid credentials in circulation: secrets and credentials are repeatedly exposed, reused, and harvested faster than teams can rotate them. In practice, many security teams encounter credential stuffing only after account takeover patterns, support tickets, or payment fraud have already appeared, rather than through intentional early detection.
How It Works in Practice
Proof of work should be inserted at the point where the attacker must spend compute for each attempt, usually before the server performs expensive identity checks or password verification. In practice, the server issues a challenge tied to the specific request, and the client must compute a valid response before the attempt is processed. The server then verifies the response with minimal work. That asymmetry is the value.
Used well, proof of work supports three goals: slow automated guessing, make bot orchestration more expensive, and create a measurable cost signal that can feed detection. It is stronger when the challenge is request-specific, short-lived, and harder to precompute. It also works best when combined with device, IP, and behavioural signals so legitimate users do not face the same friction as high-risk traffic.
- Apply it to login, password reset, and account recovery flows where stuffing creates outsized risk.
- Use adaptive thresholds so low-risk sessions see little or no friction.
- Keep server-side verification lightweight to avoid amplifying load during attacks.
- Tie challenge difficulty to current abuse conditions, not a fixed global setting.
For identity hygiene, this should sit alongside credential lifecycle controls. NHIMG’s State of Non-Human Identity Security research highlights the broader problem: 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which reinforces how often abuse begins with long-lived or exposed secrets. For standards context, NIST SP 800-63 Digital Identity Guidelines is relevant because authentication strength must be balanced with usability and phishing resistance, not treated as a single control. These controls tend to break down in high-volume consumer apps with volatile traffic because difficulty tuning becomes fragile and legitimate users can be trapped by false positives.
Common Variations and Edge Cases
Tighter proof of work often increases user friction and support overhead, requiring organisations to balance attack cost against usability and accessibility. That tradeoff becomes more acute when traffic patterns vary sharply by geography, device class, or peak business events.
Best practice is evolving on whether proof of work should be used as a primary defence or only as a layered friction control. For some environments, especially high-value consumer accounts, it is a useful throttling mechanism. For others, it is less effective because attackers can distribute requests across botnets, rent compute cheaply, or selectively target high-yield accounts where a few successes justify the effort.
It is also important not to confuse proof of work with identity assurance. It does not prove the user is legitimate; it only raises the cost of automation. That means it should be complemented with breached-password screening, rate limiting, anomaly detection, MFA step-up, and session risk scoring. The Ultimate Guide to NHIs — Static vs Dynamic Secrets is a useful reference when teams are deciding whether to add friction at the edge or fix the underlying credential exposure path. The 230M AWS environment compromise is another reminder that once credentials are exposed, attackers move quickly and at scale. Where reverse proxies, shared sessions, or aggressive caching interfere with challenge issuance, proof of work tends to fail because the request path no longer preserves a reliable one-to-one challenge and verification flow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses credential misuse and reuse patterns that underpin stuffing attacks. |
| NIST CSF 2.0 | PR.AA-1 | Authentication assurance must be risk-based when adding friction to login flows. |
| NIST AI RMF | Risk measurement and governance help evaluate whether proof of work actually reduces abuse. |
Reduce exposure of reusable credentials and enforce rotation where stuffing risk is highest.
Related resources from NHI Mgmt Group
- How should security teams reduce fraud when attackers use deepfakes and synthetic identities?
- How should security teams defend against both jailbreaks and prompt injection?
- How should security teams harden mobile KYC against deepfake injection attacks?
- How should security teams defend against phishing when attacks move beyond email?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
