Ok, so there is a one-in-three chance of guessing the correct sequence, yes? Even if the whole operation would be quadrupled, as you said (choose the correct sequence, then again another three times), you will still have a 1-in-81 chance of guessing (3^4). This is by no means enough.
You mention allowing no more than three of four attempts, but this won't really work well either. You can't reliably do it by IP - it is easy for malicious users to jump between IPs (using e.g. botnets or different proxy servers), and if you do it by user account (e.g. ignoring IP, allowing only x number of attempts for the username before locking it down) you will have created the best possible scenario for denial-of-service attacks. Anybody would be able to lock anybody else's account trivially.
I agree that research is a good thing and that sequence-based login is kind of interesting, but the flaws really need to be covered as well. That is critical in any scientific field. As it is now, this method is completely unusable.