Authentication requires that you play a round of the game —
but this time, your 30-letter sequence is interspersed with
other random 30-letter sequences.
Which makes it sound to me like your password could be deduced from a single (failed) login attempt, and then reproduced after a session in the trainer.
Their discussion of that attack, from the paper itself:
If the attacker is allowed multiple authentication
attempts — iterating the extraction and test phases,
alternating between the two — then the protocol may
become insecure. The reason is that during an
authentication attempt the attacker sees the three
sequences k0; k1; k2 and could memorize one of them (30
symbols). He would then train offline on that sequence so
that at the next authentication attempt he would have a
1/3 chance in succeeding. If the attacker could memorize
all three sequences (90 symbols), he could offline
subject a trained user to all three sequences and
reliably determine which is the correct one and then
train himself on that sequence. He is then guaranteed
success at the next authentication trial.
We note that this attack is non-trivial to pull off
since it can be difficult for a human attacker to
memorize an entire sequence at the speed the game is
played.
. . . which isn't all that reassuring, given that if I were trying to break in using this technique, I wouldn't be memorizing, I'd be recording.
But it sounds like the system is designed to only give an attacker one trial (notionally opening a trap door under his feet if he fails even once), and it does seem much more secure in that context.