A deep dive into our "Cognitive Airgap" technology. Understanding how we defeat Phishing, RATs, and advanced automated attacks.
The "Sum & Select" logic creates a wall between your secret and the machine.
You choose 4 favourite vegetables/fruits out of 54. These 4 become your permanent secret identity. The system also assigns you 2 secret alphabet letters โ but these are only to help you REMEMBER your salt number, not part of the formula.
54 items, pick 4 = 316,251 unique combinations. Every user's set is different. Your letters X and R are just a personal memory anchor for your salt โ the system never uses them in the calculation.
At every login, one of your 4 fruits appears on screen โ but WHICH one and its position rotates randomly on every refresh. Beside it is a fresh random number. This number changes every single session, it cannot be predicted or reused.
Even if a hacker watches five logins in a row, each shows a different fruit in a different position with a different number. There is no pattern to exploit.
Simple. Screen Number + Your Secret Salt = Your Answer. That's it. The salt is a number only you know. It never appears on screen, never travels over the network, never sits in any database. It lives only in your head.
A hacker sees 52 on screen and 99 being entered. They cannot reverse-engineer 47 from that alone โ because they don't know which of infinite possible salts you used, and next login the screen number will be completely different anyway.
You type the result on a scrambled keypad. The keypad digits are in a random order every session โ so even if someone films your finger movements, they cannot know which number you pressed. The answer is validated in milliseconds and the token is immediately destroyed.
The scrambled keypad defeats shoulder surfing and camera spying. The one-time token defeats replay. The cognitive salt defeats screen recording. Three independent defences active simultaneously.
Watch why a hacker who captures first login answer is completely helpless on Tuesday.
The Cognitive Airgap
Your salt (47) never appears on any screen, never travels over any network, and is never stored in any database. It exists only in your mind. You remember it from the scoreboard: D (4th letter = 4) ยท G (7th letter = 7) โ 47. No system can leak what no system knows.
Security by the Numbers
You don't memorize a password. You follow a match. A live cricket match you already know by heart.
Imagine a tense cricket match. Your team is batting and only 4 batsmen are left. The crowd is watching. The scoreboard is live. Here's how you login:
Layer 1 โ Your 4 Selected Batsmen from 54 (rotate randomly each refresh)
You chose these 4 at registration. Every login, ONE is randomly placed at the crease โ the order changes every refresh.
Only the batsman at the crease is shown. Today it's Kohli with score 40. Tomorrow it could be Rohit or Dhoni with a completely different score. The other 3 are hidden โ you just recognise your own player instantly.
Layer 2 โ Runs Required to Win (Your Secret Salt โ just a number)
Only you know how many runs are needed to win. That number is your secret salt โ a plain number that never appears anywhere. The formula is simply: Screen + Salt = Answer.
Layer 3 โ The Scoreboard Letters (How You Remember Your Salt)
The scoreboard always shows two letters after the match ends.
โข The first letter that appears โ its position in the alphabet = first digit of your salt.
โข The second letter that appears โ its position = second digit of your salt.
D (4th) ยท G (7th) โ 4 ยท 7 โ salt = 47
The letters are never added to the formula. They are purely your personal key to recall the salt number. The system never uses D or G in any calculation โ only you know how to read them.
Your 4 favourite players (fruits). One walks out at every login โ you recognise your player instantly. The score beside them is shown on screen.
A plain number only you know. You add it mentally to the batsman's score shown on screen. Formula: Screen Number + Salt = Answer. That's it. Nothing else enters the formula.
Two letters on the scoreboard after the match. They are your personal mnemonic to recall your salt number โ they are never part of the formula itself. Only you know how they connect to your salt.
We never know who your users are. We only know if they passed the test.
Three of the most dangerous real-world attacks โ explained, and then dismantled.
A hacker creates a fake login page that looks exactly like yours. You type your password โ they capture it and instantly relay it to the real site to log in as you.
The visual challenge (the batsman's score) is generated fresh and bound to a specific session ID on our backend. A fake site cannot generate a valid challenge. And even if they relay the challenge in real-time, your answer is computed from your secret salt and alphabets โ the hacker sees a meaningless number and cannot derive your formula.
A RAT is malware that gives an attacker a live view of your screen. They watch you type in real-time โ seeing your OTP as you receive it, and recording every keystroke.
The RAT can see your screen โ it sees Kohli's score of 40 and it sees you type 55. But it cannot see your mental math. The 12 (your salt) and your alphabets X and R never appear anywhere. The answer 55 is useless next login because the batsman's score will be completely different. The secret is a formula, not a value โ and formulas live in minds, not screens.
A spy in a cafรฉ, bus, or ATM queue watches over your shoulder. They observe which keys you press, memorise your PIN, and use it later from their own device.
Two defences activate at once. First, the keypad is scrambled randomly โ so the spy can't even map your finger position to a digit. Second, even if they somehow read the number you typed (55), it will be wrong on the next login because the batsman's score changes. Watching you once is completely useless.
Passkeys are better than passwords โ but they still have critical hardware and device-level weaknesses. Here's why cognitive authentication goes further.
Access is gone. Passkey lives on the device. Lose the phone, lose your login.
Nothing to lose. Your salt lives in your head. Any device, anywhere.
Practically only Google, Apple & Microsoft. Hard for independent apps to implement from scratch.
Any app, any backend, any platform. Drop in our API. Works everywhere in minutes.
A RAT with full device access can trigger biometric prompts silently, intercept fingerprint data, or abuse the stored credential directly.
RAT sees the screen number. RAT sees what you type. But the salt is never on the device โ it cannot be extracted by any malware.
Browser has full access to the passkey flow. Malicious extensions or a compromised browser can trigger authentication silently without any user awareness.
The formula computation happens in your brain, not the browser. No extension or script can compute your salt for you.
Fingerprint and face data is used. If the OS or a rogue app captures raw biometric sensor data, that identity signal can be abused.
No biometrics involved. Nothing biological is captured. Your auth factor is a thought, not a fingerprint.
Tied to registered device. Cross-device login is limited and complex to set up.
Works on any browser, any device. Your formula travels with you โ in your memory.
The Fundamental Difference
Passkeys move your secret from a password to a device. We move it to your mind. A device can be stolen, cloned, or fully compromised by malware. A thought cannot. The cognitive airgap is the only authentication factor that survives full device compromise.
Malware that views your screen remotely to steal OTPs. Hackers can see your screen in real-time, but they cannot read your mind.
Fake login pages that steal credentials to relay them. They try to trick you into entering your password on a clone site.
Using leaked passwords from other sites to break in. If you reuse passwords, hackers can try them everywhere.
Stealing an active login token to bypass auth. Attackers extract your session cookie to impersonate you.
Automated bots trying millions of combinations to guess your password or pin.
An attacker physically watches you type your PIN or password in public. They observe your keystrokes or the screen over your shoulder to steal your credentials.
Join the developers who are shutting down phishing and automated attacks for good.