“It's only in your head!”


CerebraLock in effect displays a number of security questions (one per entry screen / row) which all have a number between 1 and 'radix' as their answer. The question is: "How many of the displayed items in each row have special meaning to you?". In the real life case, you provide the list of items and only you will know which items are special or "known" (e.g. names of family members, friends, high school teachers, lovers, pets or street names, vacation spots etc.)

The result of an access procedure is a numeric password (as displayed by the checked radio buttons - and below the submit button:-) made up of the digits 1 through 'radix' (default: 4) and of a length (default:5) determined by the trade-off between convenience and security requirements. In the default case, the sequence length is 5 entry screens resulting in 4^5 (= 1,024) different passwords. 10 entry screens would result in 1,048,576, 16 entry screens in 4,294,967,296, and in general: (radix)^(sequence length). Radix and sequence length can be changed with the controls on the bottom of the access screen.

Each access procedure displays another combination of known and unknown items, so keylogging, phishing and observing are useless - the next procedure will require a different answer. This also means you won't be able to write down these passwords, nor will you need to (or, for that matter memorize them,) because all of them are already in your head!

Each entry screen is randomly picked from a large pool of pre-computed different combinations. Since you are only comparing items, their order does not matter - they can be shuffled just before being displayed without changing the solution. And, importantly, the only information stored on the server is the solution to each screen, not which items are known!


CerebraLock can be used wherever access control or authentication is required:

• door locks (watch the video)
• safes and vaults
• point of sale terminals
• ATMs
• mobile devices
• CAPTCHAs (the example access screens are exactly that)
• websites
• protect encryption keys (see CerebraLock App)

The pool of access sequences (ID file) can be uploaded to a device for stand-alone operation or to a server for internet-based authentication.

Features & Advantages

• simple to implement
• culture and language independent; the user provides the text or image items
• usable by humans; you set your passwords (no more "Tz3VuA$Aux9TWATRv+af5sMeyzMJwsQC...WTF?")
• no extra hardware required
• nothing to memorize - or forget
• passwords cannot be written down or shared
• passwords do not have to be changed regularly
• different ID files (based on the same items) can be safely used for different verifiers
• resistant to keylogging, phishing, shoulder surfing and dictionary attacks
• leaves no physical clues (e.g. smudges on screen or keypad giving away usage patterns)
• server sends single images; client sends codes that are specific to each individual access procedure
• text items can be read out loud and required responses are single digits - usable by visually impaired persons or over the telephone
• very flexible; parameters can be changed according to security requirements even for each access procedure
• error tolerance; legitimate users can get some screens wrong and still gain access
• coercion option - user can secretly trigger an emergency action during an access procedure

Drawbacks & Disadvantages

• some effort required for (one-time) setup
• higher bandwidth requirements; especially for images
• higher storage requirements (vs. passwords)
• longer time per access procedure

Copyright ©2014 bitSplit™ Enterprises. All rights reserved. Patented.
All trademarks and copyrights remain the property of their respective owners.
Last updated April 23 2014