Section 5

Statistical Analysis of the Multi-Select Challenge Model

The IWISI challenge engine uses a mathematical design to maximize entropy while minimizing unauthorized success through a cognitive air-gap model.

Jump to Analysis Sections

Quick Nav
1) Search Space Expansion2) NOTA as a Trap3) Variable Correct Count4) c = 0 Defensive Ceiling5) Entropy Slope6) PIN Hard-Stop7) All-or-Nothing Scoring8) Adversarial Decoys9) Latency and Performance10) Non-Transferable Fingerprint

1) Search Space Expansion

Moving from single-choice to multi-select changes the attack model from selecting one answer to selecting a subset of answers. For n presented choices, the attacker now faces 2^ncombinations.

Single-choice guess: 1/n. Multi-select guess: 1/(2^n)

With 5 primary choices, random pass probability changes from 1/5 (20%) to 1/32 (3.125%).

2) None of the Above as a Zero-Knowledge Trap

None of the Above (NOTA) is a conditional operator: it is correct only when the intersection between displayed options and true identity anchors is empty. This forces independent evaluation of all options and blocks process-of-elimination shortcuts.

3) Variable Correct Count Prevents Satisficing

With a variable number of correct answers c (for example, 0 through 3), users cannot stop after recognizing one familiar item. This reduces satisficing behavior and keeps decoys mathematically relevant in each prompt.

4) c = 0 Is a Defensive Ceiling

When a generator emits zero valid anchors for a prompt, the actor must correctly avoid selecting decoys and choose NOTA. This state is especially effective against brute-force scripts that assume at least one visible match exists.

5) Seven-Stage Battery and Entropy Slope

Cumulative success is the product of per-question success probabilities.

If P(question) = 1/32 and there are 6 quiz questions, P(quiz pass) = (1/32)^6

That is about 1 in 1.07 billion. Each additional question contributes a new log-scale protection layer.

6) PIN as a Hard-Stop Multiplier

The 4-digit PIN introduces a second independent challenge type (recall vs. recognition).

P(total bypass) = P(quiz bypass) * P(PIN guess) = P(quiz bypass) * (1/10,000)

Combining two different cognitive channels sharply reduces non-targeted attack viability.

7) All-or-Nothing Guessing Penalty

IWISI scoring is deterministic: any mismatch from the true answer set is logged as failure. This removes partial-credit effects and suppresses false positives in the authentication stream.

8) Adversarial Decoy Effect and Visual Distance

Decoys are generated to minimize visual distance from valid answers. Low visual distance prevents attackers from spotting outliers with superficial pattern matching and preserves intended entropy.

9) Performance and Operational Latency

Logged duration values (for example, duration_micros) can demonstrate that validation time remains stable while entropy increases. This supports the claim of strong security with low user-facing latency.

10) Non-Transferable User Fingerprint

Very low unauthorized pass probability supports treating a successful pass as high-confidence proof of identity. This enables frictionless stepping in a zero-trust architecture based on continuous proof, not assumed trust.

Related Pages

Bridge
Try the Guided Login DemoView Live Dashboard MetricsReturn to Dashboard Home