Background. Brain waves (electroencephalograms, EEG) can provide conscious, continuous human authentication for the proposed system. The advantage of brainwave biometry is that it is nearly impossible to forge or duplicate as the neuronal activity of people are distinctive even when they think about the same thing. Aim. We propose exploiting the brain as a biometric physical unclonable function (PUF). A user's EEG signals can be used to generate a unique and repeatable key that is resistant to cryptanalysis and eavesdropping, even against an adversary who obtains all the information regarding the system. Another objective is to implement a simplistic approach of cancelable biometrics by altering one's thoughts. Method. Features for the first step, Subject Authentication, are obtained from each task using the energy bands obtained from discrete Fourier transform and discrete wavelet transform. The second step constituting the Neurokey generation involves feature selection using normalized thresholds and segmentation window protocol. Results. We applied our methods to two datasets, the first based on five mental activities by seven subjects (325 samples) and the second based on three visually evoked tasks by 120 subjects (10,861 samples). These datasets were used to analyze the key generation process because they varied in the nature of data acquisition, environment, and activities. We determined the feasibility of our system using a smaller dataset first. We obtained a mean subject classification of 98.46% and 91.05% for Dataset I and Dataset II respectively. After an appropriate choice of features, the mean half total error rate for generating Neurokeys was 3.05% for Dataset I and 4.53% for Dataset II, averaged over the subjects, tasks, and electrodes. A unique key was established for each subject and task, and the error rates were analyzed for the Neurokey generation protocol. NIST statistical suite of randomness tests were applied on all the sequences obtained from the Neurokey generation process. Conclusions. A consistent, unique key for each subject can be obtained using EEG signals by collecting data from distinguishable cognitive activities. Moreover, the Neurokey can be changed easily by performing a different cognitive task, providing a means to change the biometrics in case of a compromise (cancelable).