ITFI20100167A1 - "METHOD OF IDENTIFICATION OF A USER THROUGH PASSWORDS" - Google Patents

Description

"METHOD OF IDENTIFYING A USER VIA PASSWORD"

DESCRIPTION

Technical field

The present invention relates to the computer data security sector and in particular the security of a user's personal data during transactions or access to services such as the use of ATMs, credit cards and more generally in any authoritative context in which each authorization must be accompanied by a user identification code and a secret code or password associated with the identification code.

In particular, the subject of the present invention is a method and a system for identifying a user by communicating to acquisition means a user code and a password previously stored in an electronic system for which said user code corresponds to said password.

State of the art

As is known, there are different ways to access services for which it is necessary to provide sensitive personal data.

A typical example is the service for withdrawing money from automatic teller machines, the so-called “ATMs” or “ATMs”.

In these cases, a user inserts his own identification card or magnetic card in which personal data (which can be summarized in a "user code") are stored, inside a terminal opening. The terminal reads the stored "user code" and requests the entry of a secret code or password. The user enters the password and the terminal operating in "online" mode checks in the archive or database to which it is associated whether there is a correspondence between the password and the user code stored in the card. If so, it allows access to the service, such as cash withdrawal. If not, there is no access to the service and after a certain number of access attempts, a user blocking system intervenes and the card is withdrawn or deactivated.

More generally, in every electronic system with access with user code and password there is a user interface that works as a means of acquiring the code and password (in the case of ATM services, the ATM terminal, but in other cases it may be present another type of terminal, such as a POS reader -point of sale- for the purchase of products, or a "totem" for the purchase or booking of train tickets, etc.) and an electronic archive (or database) where there is the association between user code and password. In the case of "on-line" services via the Internet, the user interface is given by the video and the computer keyboard (more generally: personal computer, PDA, advanced mobile phone, etc.) which is used for surfing the net. The site accessed will be equipped with appropriate data acquisition software.

It goes without saying that the security of personal data exchanged during access is a top priority for all managers of the various services. Fraud and identity theft resulting from the fraudulent acquisition of personal data are in fact on the agenda.

In this regard, think of the cloning of ATM cards or credit cards. A typical identity theft linked to these involves, for example, stealing the password as it is typed, for example by means of a camera placed at the ATM on which cash is withdrawn and the simultaneous or subsequent theft of the user code, which can take place for example by scanning the magnetic card by means of a device disguised as a false ATM inlet, or by subsequent theft of the card itself. Similarly, data theft can occur through an online access to an internet site. In this case the user provides his access data to the service (user code and password) without knowing the presence of a "spy" program loaded on the computer used that stores the data and sends them to the identity thief who set up the program or even without realizing that the site he is using is a "cloned" site, that is, it does not correspond to the real site on which he should make the transaction.

To solve identity theft when accessing services as described above, different methods of providing access data have been designed, one of the most used is the one called "one time password (OTP)". This method involves the use of a password that remains valid only for a single session of access to the service or transaction or for a very limited period of time. This password is provided from time to time to the user for access which must be carried out in various ways, illustrated below. Note how the use of an OTP avoids the problem of so-called "static" passwords (ie those consisting of alphanumeric characters that always remain those for the entire life of the card to which they are associated) which, once stolen, can be used up to upon interruption of the access service. An OTP effectively makes the theft of the password during its use useless, as it will no longer be used.

The communication of the OTP from the manager to the user can take place, for example, through a password generator with synchronized clocks. In practice, the service manager, for example a bank, provides the user with a generator device (token) which, when activated, generates a password that is readable by the user and valid for a limited period of time (for example 30 seconds). The password controller device (i.e. the system in which the password is entered) is also equipped with the same generative algorithm and therefore token and controller must be temporally synchronized to ensure the correspondence between the code generated and entered by the user and the code present in the control system.

Another way to communicate a known type of OTP involves, for "on-line banking" services, the generation of a security code (password) and sending in real time to the user who is using his own account of the service . A system of this type is for example commercially known under the name of "TynTec".

A similar system is also used by the well-known online payment system "PayPal". In this case, PayPal provides a protection service called "PayPal SMS Security Key" thanks to which the user, once connected to his PayPal account to make an online payment, can request, by "clicking" on a special icon present on the screen, sending a text message to your mobile phone containing an additional six-digit security password to be used to allow you to complete the payment procedure. There is therefore the need, upon request, to enter two different passwords to complete the transaction, the traditional "static" one and the one requested from time to time.

Using an OTP is certainly a good way to improve the security of access data to a service or transaction, as it eliminates the risks associated with the theft of a user code and static password. With these data in hand, the criminal can access the services in his own name.

However, it is clear that the use of systems with OTP does not completely eliminate the risk of the theft of service access data. In fact, it is clear that there is the possibility that a criminal can take possession of both the static access data, for example through the methods mentioned above, and at the same time can take possession of the devices suitable for receiving the OTP, such as the user's mobile phone. or the token and act to access the service before the user can deactivate it.

Purpose and summary of the invention

The purpose of the present invention is to increase the degree of security when accessing the service or carrying out transactions in which access codes and more generally sensitive access data are required, compared to currently known security systems.

This and other purposes, which will be clearer hereinafter, are achieved with a method of identifying a user by communicating to means for acquiring a user code and a password previously stored in a service management system so that said code user matches said password. The method is characterized by the fact that the password comprises a plurality of characters of which at least a part is static and at least a part is dynamic according to a predefined modality. By "static" we mean that the characters are substantially fixed, immutable, or not variable unless under particular conditions (forgetting the password, theft of the card on which it is stored, expiration, etc.); by "dynamic" we mean that the characters are not fixed or immutable but vary according to a predefined variation policy. According to the invention, the method provides for a phase of generation of the dynamic part of the password according to a predefined frequency or modality, and a phase of knowledge by the user of the dynamic part of the password generated, so that at each identification moment (in practice at a time or phase in which the user must communicate the password to allow the system to recognize the user associated with a given user code acquired by the system itself, in order to allow access to the service or with a transaction) the user is aware of the dynamic part of the password to be combined with the static part. This dynamic part is constantly updated within the management system so that there is always a correspondence between the user code and the complete password known by the user.

In practice, the idea on which the method is based is to separate the password used to verify the user into at least two parts, a static one known by the user (hereinafter also referred to as a static sub-pin) and substantially fixed, and a dynamic part (hereinafter also defined as dynamic sub-pin), i.e. variable, sent to the user via a personal device (mobile phone, device with e-mail browser or other), or generated by the user himself via a device token type synchronized with the management system.

It goes without saying that the dynamic part of the password, in the preferred embodiment and considered most advantageous in terms of security, is generated by the service management system and communicated to the user. Alternatively, in a less preferred embodiment but in any case covered by the present invention, it can be the same user who "generates" or "thinks" a new part of the password and communicates it to the management system according to a given modality.

The greater security that comes from using a password constructed in this way is evident. In fact, in order to violate access, or to complete the user profile, an evildoer should know the user code, the static part of the password and the dynamic part at the same time. Also depending on the type of password management policy used, the malefactor should be aware of how to combine static and dynamic parts of the password.

The term "user code" means a data useful for recognizing the user of the service or transaction, who must then provide the password. It goes without saying that in the preferred embodiment this user code can be formed by preferably alphanumeric characters, but alternatively the user data could be constituted for example by a fingerprint acquired by means of a suitable device, or even a retinal scanning or recognition system. vocal etc.

The term "character" means: letters, numbers, ASCII characters and more generally any symbol that can be implemented in the management and user interface system.

As mentioned, the method according to the invention provides that the password for user confirmation includes a "static" part and a variable or dynamic.

The way in which the password is composed, that is, what is the position of the characters of the static part of the password (which therefore never transit in the communications between the service manager and the user except at the time of identification) and what is the position of the characters of the dynamic part of the password (that is communicated dynamically between manager and user, as better explained below) depends on how the service is predefined, or rather on the “policy” or management methods of the service.

In practice, the password is broken down into two or more sub-parts communicated according to one or more different methods between the manager and the user or vice versa. According to a preferred embodiment, this password consists of two parts, one static and one dynamic and the dynamic part is sent in a single communication.

According to another embodiment, the method provides for a password with a static part and two or more dynamic parts, communicated by the management system / manager to the user (or vice versa) in two successive moments or in two different ways.

The characters of a static part of the password according to the invention, as well as those of a variable part, are not necessarily in succession to each other.

Advantageously, their position within the password sequence structure depends on the policy or reset mode of the service.

For example, it is possible to set the service so that the static characters (S) of the password are grouped in succession at the beginning of the sequence, while the dynamic characters (D) are grouped in succession at the end of the password sequence. Taking a password of five characters in sequence with the static characters in number of two, the structure of the password could therefore be as follows: SSDDD. The user is aware of the first two characters of the password (which always remain the same) while the following three characters are preferably communicated by the manager at a time prior to accessing the service or transaction. Once the manager has sent the three characters, for example via a text message (in the manner described below), the user combines the password according to the previously indicated default scheme.

As mentioned, the scheme can be different. For example, the user knows that the two static characters must be placed at the head and at the end of the password, according to the SDDDS sequence. Or again there could be a mixed combination of SDSDD, DSDDS, DSDSD etc ...

According to another more general embodiment, the way in which static and dynamic characters must be combined may depend on a prior decision (i.e. a predefined password management policy) according to which the position of a static or dynamic character in the string of one's own part of the password corresponds to a given position in the total sequence of passwords. For example, the static part of the password consists of the characters 52-44 in which the subscripts correspond to the position, according to the password management policy decided in advance (for example upon activation of the service), of the characters in the password sequence and therefore will have a D5D4D sequence. Similarly with regard to the password part with dynamic characters; the manager sends the following dynamic part of the password to the user: 23-4I-7 If the final password is therefore 45247.

Conveniently, in other embodiments, the method provides that the total length of the password is variable on the basis of a predefined management policy. For example, the data acquisition system for accessing the service or to allow the transaction requires the use of a password with a length of between x characters and x + y characters, for example between three and ten. The generation of the variable part of the password can therefore comprise a number of characters that can vary according to a given pattern. With reference to the last example, the password could include three static characters that are always known to the user and a number of dynamic characters in turn randomly variable between one and seven. For example, the static characters of the password can be 372 while the dynamic part of the password for a certain access or transaction can be 47765 (password of eight characters in total) while for a subsequent transaction the dynamic part communicated by the manager to the user can be 658 (password of six characters in total).

It goes without saying that in another embodiment, a password can have a fixed length but the number of static characters and dynamic characters be less than the totality of characters that make up the password, with the user being aware of the position of the characters static and dynamic characters within the sequence and with the remaining characters that can be typed randomly by the user as they are not taken into account by the identification / access system (the system uses for identification only the characters present in predetermined positions ). For example, with an eight-character password, the static part of the password has two 3-5 characters placed at the head and tail of the password (the position is known only by the user according to the policy decided when the service was defined) while the variable part has three characters 2-2-6 places grouped from the third to the sixth digit (also this position is known only by the user). The password will therefore be 3x226xx5 with x which can be replaced by any character.

It goes without saying that in other embodiments, the examples and methods described above to compose the password can be combined with each other according to the needs, for example obtaining passwords with variable length but with the user who is previously aware of the position not in rigorous succession of the various characters of the static and dynamic parts.

It is clear that the fact that the password management policy (length, position of static and variable characters, etc.) is an element that greatly increases the security of the system. In fact, this policy is only aware of the user (and, obviously, of the management system) and therefore, in the event that an evildoer manages to take possession of both the communication device of the dynamic part of the password, both of the user code and of the static password, this is unable to combine characters as it does not know how to do it correctly.

The password stored in the management system can be encrypted in order to make it unintelligible by any operator.

According to a preferred embodiment, the method provides that the supply of information by the user to the data acquisition system takes place with a single encrypted message which contains both the user code and the password with static and dynamic part, thus preventing any type of iteration with the user between the moment in which he is recognized by the system and when his identification code is sent.

In a preferred embodiment, the dynamic part of the password is sent to the user with the aim of being used in the subsequent transaction.

Preferably, the method according to the invention provides that the dynamic part of the password is sent to the user who has just been recognized by the system.

In the preferred embodiment, the method provides that the management system communicates with one or more user interfaces, for example ATM devices, POS readers, etc. by means of a first communication network (telematic network, telephone network, dedicated banking network, etc., preferably via cable but wireless type networks can also be used) in order to verify access to the service or implement the transaction; the same management system communicates with the user through a second communication network (for example telephone) in order to transmit the dynamic part (or parts) of the password to the user. It goes without saying that the first and second communication networks can also be of the same type, depending on how the system is implemented. Said first and second communication networks are of the "geographical" type, ie they allow communication over a long distance. Networks of this type are for example cable telephone networks, GSM, UTMS, satellite networks, etc. or computer networks, WAN (wide area network) such as internet etc. o Large LAN, VOIP lines etc.

Preferably, in a particularly convenient embodiment, the method according to the invention provides for wireless communication according to a third communication network, of the "local" type (ie with a limited range, for example less than 100 m, preferably between 0 and 25 m), such as a "wifi" network, an infrared communications network, or preferably "bluetooth", between the user, equipped with one or more devices to communicate in said third network (for example a telephone mobile phone, a "PDA", a "smartphone" a laptop, etc. equipped with the appropriate technology) and reception / transmission means for communications in said third network associated with respective user interfaces (for example an ATM, a POS reader, etc. .); said receiving / transmitting means associated with an interface verify the presence within its own field of a user communication device and communicate the presence (and also the possible absence) in the field of the user device to the management system through the first communication network; once the presence in this field has been verified, the management system knows where the user is located (near a given user interface) and is therefore able to communicate to the user via the first communication network and in succession, the third network communication, the variable part (or parts) of the password to the user.

In practice, in general, in the preferred embodiment, the management system communicates the dynamic part of the password to the user via a wireless telephone network, ie to the user's mobile phone (or equivalent device). To avoid the problems that could arise from the lack of coverage of the wireless telephone network, the method involves equipping the user interfaces with devices that communicate via bluetooth or wifi with the user's mobile phone. Therefore, in the event that there is no coverage, the management system can communicate with the user via the local bluetooth network, or wifi obviously passing through the geographical network that connects the management system and Γ user interfaces.

Advantageously, according to another embodiment, through this third network the management system, which knows the user's position as it is signaled in the field of a user interface associated with a bluetooth (or wifi) transmitter receiver, can send messages to the 'user targeted on the basis of its location, such as advertising messages from nearby businesses, information messages about events, etc.

It goes without saying that the present invention also relates to a system for identifying a user by means of communication to acquisition means of a user code and a password previously stored in a management system for which said user code corresponds to said password.

This identification system includes:

- at least one user interface defining the means for acquiring the user code and password; the password comprises a plurality of characters of which at least one part is static and at least one part of which is dynamic according to a predefined modality;

- an electronic management system, in turn includes:

a) an archive in which the correspondence between user code and password is stored,

b) means of communication according to a first communication network between the user interface and the management system, and according to a second communication network with at least one portable device associated with the user such as to receive said at least a dynamic part of the password,

c) electronic means for generating character sequences to be used as a dynamic part of said password;

In said management system, the management policy of the dynamic part of the password is implemented, as well as the method of communication of said dynamic part to the user, the method of combining the dynamic part with the static part of the password.

Preferably, in this identification system, the user interface comprises a device of the type with a card reader or magnetic card in which the user code is stored and equipped with a terminal for typing the password, such as for example an ATM device, a reader POS etc.

Preferably, in another embodiment of the identification system the user interface comprises a device equipped with means for acquiring the user code which consists of a terminal on which to type the code, or means for reading a fingerprint, or means for recognize the retina of a user's eye, or means of recognizing the user's voice.

In a preferred embodiment, at least one portable device associated with the user such as to receive the dynamic part of the password is a mobile phone, i.e. a portable phone capable of wireless communication, but other types of devices can be used, such as smartphones, laptops, devices for receiving voice or video messages, braille reading / writing systems, etc.

Advantageously, wireless communication means are associated with the user interface according to a local network, such as preferably a bluetooth or wifi network; said means allow to detect a portable device of the user to which to send via this local network, being equipped with similar means of communication, the dynamic part of the password and any other communications.

Brief description of the drawings

Further features and advantages of the invention will result from the description of one of its preferred but not exclusive embodiments, illustrated by way of non-limiting example in the attached drawings tables, in which

Figure 1 represents a diagram of an identification system according to the invention;

Figure 2 represents a flow diagram of the actions of a user using a method and an identification system according to the invention;

Figure 3 represents a flow diagram of the actions of the manager of a method and an identification system according to the invention;

Figure 4 represents a flow diagram of the actions related to the use of a communication device according to a local network such as bluetooth or wifi between user interfaces and portable device associated with the user to send the dynamic part of the password according to the invention.

Detailed description of an embodiment of the invention

The example that will be described below relates to an identification system for ATM and similar payment services (i.e. payment systems with a card associated with a current account or similar, in which a password is required), indicated as a whole with 10 in figure 1. In this example, therefore, the communication protocol between ATM / POS and the code verifier (for example a bank) is the traditional one. It goes without saying that the same logic can be applied to all systems that use a card or magnetic card to provide user identification and subsequent typing of a password, but also to identification systems on the internet or in other contexts.

To use a method according to the invention, a user needs to activate the service from the competent manager. In the activation procedure, the user, based on the specifications of the management system, decides how to communicate the dynamic part of the password, for example by mobile phone. Therefore, it records the telephone number and other identification data of the service to the service management system, such as the IMEI code (International Mobile Equipment Identity: numeric code that uniquely identifies a mobile terminal), the MAC address (media access control ) bluetooth (if present), the MAC address of the wifi card (if present), etc. It goes without saying that it is possible to decide to receive communications on multiple devices (multiple mobile phones or a mobile phone and a personal computer, etc.)

Figure 1 shows an example of a system according to the invention, in which the management system is indicated as a whole with 11 and the POS / ATM interfaces with 12. The management system is in practice an electronic processing center associated with means of various types of communication, described below.

When defining the characteristics of the service, the user chooses the position of the static characters of the password within the password itself. In the example discussed, according to the traditional ATM / POS - Bank protocol, the password is a five-digit "pin" (personal Identification number). For example, the management system expects the password to have two static characters. It is decided (decision that can be made by the user or imposed by the system) that the position of the two static characters of the static sub-pin are the head and tail of the password sequence of characters. Similarly, it is decided how the dynamic sub-pin should be permuted within the password sequence (ie what are the positions of the various dynamic characters within the password sequence). After signing up for the service, the user receives (for example by post) the identification magnetic card (which contains the "user code"). Subsequently it receives a further communication from the bank showing the static sub-pin, Xi and Y5 (in the example the letters indicate numbers, and the subscripts indicate the positions in the password sequence), for example corresponding to the day of birth of the user. The user receives a new communication, for example via mail or sms (or even voice message) to the mobile phone registered in the system or in another way, depending on the management system policy, in which the dynamic subpin is reported: A2B3C4 . The password will therefore be composed as follows XIA2B3C4Y2.

For example, the user goes to a commercial establishment to make a purchase. At the time of payment, insert the card into the POS device and enter the password (static sub-pin + dynamic sub-pin X1A2B3C4Y2) and the transaction is successful. If the service management policy establishes that the time has come to generate a new dynamic sub-pin, the management system implements the generation, stores the new dynamic sub-pin in its electronic archive to match the user code, and sends the new dynamic sub-pin to the user's mobile phone. If the management policy provides otherwise, the user will continue to use the old dynamic sub-pin.

In other cases, the management policy may provide that the dynamic sub-pin is sent as soon as the management system recognizes the user when entering the user code in the respective user interface.

In case the user makes a mistake in typing the password, the management policy can provide for different cases, generally similar to those currently known, which include, for example, the locking of the magnetic card and the need to go to the service manager to unlock it.

Figure 2 shows an example of a flowchart of user actions to use a service with an identification system according to the invention. In addition to what is described above, block B 1 is highlighted in particular, which regulates what happens if the dynamic sub-pin is not communicated to the user within a certain time interval (it must put me in communication with the service manager) ; block B2 instead indicates what happens if the user does not remember the dynamic sub-pin: the user, using an appropriate identification code generated and provided to him when the service is activated (type PUK code - personal unblocking key - used in telephony services or in “smart card” systems to unlock a previously blocked device / card) is able to recover (B3) the dynamic sub-pin or to generate a new one to be used for subsequent actions.

Figure 3 shows the flow diagram of the management system actions as described above.

Of particular interest is also the way in which the communications of the dynamic sub-pin take place between the management system II and the user. In the preferred embodiment, it is the user's cellular phone 13 which is able to receive this dynamic subpin. It goes without saying that the coverage of the GSM or UMTS telephone network (indicated by 14 in figure 1) may not always be optimal and therefore situations may arise in which the mobile phone 13 cannot be traced by the management system 11 for sending the sub - dynamic pin.

To overcome this problem, according to the invention, each user interface, in the particular case ATM machines or POS devices 12, are associated with transmission / reception means 15 according to a wireless communication network 16 of the short-range type. 17, as preferably a bluetooth or wifi network.

For example, an ATM or POS device 12 can also comprise a Bluetooth device 15. The management system 11 communicates with the Bluetooth device 15 of the ATM or POS machine 12 via for example the same line (for example telephone or internet / WAN) with which it communicates with the ATM itself for the functions of verifying user identification and providing the service / transaction. It goes without saying that the mobile phone must be equipped with a similar bluetooth or wifi technology (which is already widespread on mobile phones today).

For example, the bluetooth device 15 of an ATM periodically monitors (with a very high frequency) its field of action 17 to check which phones 13 (or other user devices) are present. When it identifies a mobile phone, it sends a communication to the management system 11 to check if the phone in question (via Γ bluetooth address) is one of those stored in the system archive. In addition, the bluetooth device of the ATM also checks when a phone previously present in field 17 leaves this and communicates the exit / absence of the user's phone to the management system.

The management system 11 is therefore able to know if the user's mobile phone 13 is close to a given ATM 12 (or POS device or other user interface equipped with Bluetooth technology). Figure 4 shows a flow diagram of a possible way of sending the dynamic sub-pin via the bluetooth devices 15 (or similar) associated with the ATMs (or other interfaces).

If the management system has to deliver a message with the dynamic sub-pin (or possibly with another type of content) to the mobile phone of the user 13, there is a check for the presence of this phone in the field 17 of a bluetooth device 15 ( block B4). If the phone can be reached via bluetooth, the message is sent (B5) (it is clear that the sub-pin is sent via line 19 to the ATM and via bluetooth 16 to phone 13). There is a verification of the message delivery (B6). If the message has not been delivered, it is sent via an alternative network (C4), for example the GSM telephone network 14 (or equivalent). Similarly, if the cellular telephone 13 cannot be reached with the Bluetooth network 16, the message is sent via an alternative network (C4), for example the GSM telephone network 14 (or equivalent).

Note how the bluetooth or wifi system (or other with the same function) may not be physically close to a user interface 12 but simply be an "autonomous" device which is in any case in communication with the management system 11 (for example via a WAN internet line or traditional telephone line 19 '. The bluetooth or wifi system can be installed in places with a high flow of people (for example supermarkets) in order to reach users not only the dynamic part of the password but also advertising messages commissioned and possibly customized on the individual user.

It goes without saying that the user interfaces may also be different from those indicated, such as personal computers 12 'connected to the internet 19 ". In this case, the user interface also includes the screen of a special website on which to access the service / perform a transaction through identification according to the invention.

The idea on which the method and system according to the invention is based is the splitting of the password to verify the user in at least two parts: a static one known only to the user and a dynamic sent to the user via a personal device. The password is a single string composed of a static and a dynamic part, mixed according to a predefined policy.

It should be noted that the inventive solution identified makes it possible to considerably reduce the risk of identity theft for Γ identification of access to a service or for the completion of a transaction using IT tools, while at the same time avoiding the disruption of the IT systems used today. . For example, in the case of ATM services, no changes are made to the protocol between POST / ATM and the verifier of user data (user code, password), such as a bank. In fact, what will need to be implemented in currently existing systems will be modules that interact with the archive in which the correspondence between user code and password is stored in order to dynamically change the password as explained above.

It is understood that what is illustrated represents only possible non-limiting embodiments of the invention, which may vary in forms and arrangements without departing from the scope of the concept underlying the invention. The possible presence of reference numbers in the attached claims has the sole purpose of facilitating their reading in the light of the above description and the attached drawings and does not in any way limit the scope of protection.

Claims (20)

"METHOD OF IDENTIFYING A USER VIA PASSWORD" CLAIMS 1) Method of identifying a user by communicating to acquisition means a user code and a password previously stored in a management system whereby said password corresponds to said user code, characterized by the fact that said password comprises a plurality of characters one part of which is static and one part is dynamic according to a predefined modality, called predicting method - a generation step of said at least one dynamic part of the password according to a predefined frequency or modality or policy e - a phase of knowledge by the user of said at least one dynamic part of the password generated in such a way that at each identification moment the user is able to correctly combine said at least one dynamic part of the password with said at least one static part ; dictates at least a dynamic part of the password being constantly updated within the management system so that there is always a correspondence between the user code and the complete password known by the user. 2) Identification method according to claim 1, characterized by the fact that said at least one dynamic part of the password is generated by a generator device equipped with a generator algorithm, uniquely available to the user and synchronized with means equipped with the same generator algorithm inside the system management system so that the complete password associated with the user code is stored in the management system. 3) Identification method according to claim 1, characterized in that the generation step of said at least one dynamic part of the password is performed by said management system, said method comprising a step of communicating to the user of said at least one dynamic part password according to a predefined frequency or modality or policy in such a way that at each identification moment the user is aware of said at least one dynamic part of the password to be combined with said at least one static part. 4) Identification method according to claim 3, characterized by the fact that the communication phase of said at least one dynamic part of the password to the user takes place by sending a message uniquely intended for at least one predefined device available to the user. 5) Identification method according to one or more of the preceding claims, characterized by the fact that the recognition step for Γ access to the service or to carry out a transaction provides that, after the acquisition by said acquisition means, said user code and passwords are sent to in a single communication. 6) Identification method according to one or more of the preceding claims, characterized in that said password is formed by only two parts, a static part and a dynamic part. 7) Identification method according to claim 3 or 4, characterized by the fact that said password is formed by a static part and two or more dynamic parts, communicated by the management system to the user in two or more successive moments or in two or more different modes. 8) Identification method according to one or more of the preceding claims, characterized in that the position of the characters of said at least one static part and of the characters of said at least one dynamic part within the password sequence is known only to the user and to the management system. 9) Identification method according to one or more of the preceding claims, characterized in that the combination of the characters of said at least one static part and the characters of said at least one dynamic part within the password sequence takes place in such a way that a position in the string of one's own part of the password of a character corresponds to a position in the sequence of passwords according to a predefined sorting known by the user. 10) Identification method according to one or more of the preceding claims, characterized in that said at least one dynamic part of the password has a constant or variable length; in the latter case, the number of characters making up said dynamic part of the password is variable in accordance with a predefined variation method implemented in said management system. 11) Identification method according to claim 10, characterized in that the length of the string of said password, or the number of characters making up the password, is variable according to a predefined variation method implemented in said management system. 12) Identification method according to claim 10, characterized in that said password has a fixed length with the number of characters of said at least one static part and of at least one dynamic part lower than the totality of characters making up the password; the position of said static and dynamic part characters in the password sequence being known to the user; the characters in the positions of the password sequence that do not correspond to those assigned to the characters of the static and dynamic parts being not taken into consideration by the management system to verify the correspondence between user code and password. 13) Identification method according to one or more of claims 4 to 12, characterized in that said management system - communicates with one or more user interfaces, through which identification data are acquired, through a first communication network of the type for long distance communications in order to verify access to the service / implement the transaction; - communicates with said user device through a second communication network of the type for long distance communications in order to transmit said at least one dynamic part of the password to the user; - communicates with at least one user device by means of a third communication network of the type for short range communications, there being present reception / transmission means for communications in said third network and preferably associated with respective user interfaces, said reception / transmission means being in communication with the management system; said reception / transmission means verifying the presence within its own field of action of a user communication device and communicating the presence in the field, and / or even the eventual absence, of said user device to the system management via said first communication network; having verified the presence in said field, i.e. knowing the position of the user's device close to a given user interface, said management system being able to communicate to said user device through said first communication network and in succession, said third communication network communication, called at least a dynamic part of the password; preferably through said third network, said management system being able to send messages of various types to said user's device, such as for example advertising and / or information relating to services or events located in the vicinity of the field of action of said third communication network in which the device is submerged. 14) Identification method according to claim 13, characterized by the fact that said third network is of the "bluetooth" and / or "wifi" and / or infrared type. 15) Identification method according to one or more of claims from 4 to 14, characterized in that said management system communicates with said user device by means of a first telephone network of the GSM, UMTS or other type. 16) Identification method according to one or more of the preceding claims, characterized by the fact that after each use of a password, or after each access to the service / completion of a transaction, a new dynamic part of the password is generated which replaces the previous one dynamic part in the management system and which is communicated to the user. 17) System for identifying a user by supplying acquisition means with a user code and a password previously stored in a management system whereby said password corresponds to said user code, said identification system comprising - at least one user interface defining the means for acquiring the user code and password; said password comprising a plurality of characters at least one part of which is static and at least one part of which is dynamic according to a predefined modality; - an electronic management system, in turn comprising an archive in which the correspondence between user code and password is stored, communication means according to a first communication network between the user interface and the management system, and according to a second communication network with a device associated with the user such as to receive said at least a dynamic part of the password, electronic means for generating character sequences to be used as a dynamic part of said password, the management policy of the variation of said at least one dynamic part of the password being implemented in said management system, the method of communicating said at least one dynamic part to the user, how to combine the dynamic part with the static part of the password. 18) Identification system according to claim 17, characterized in that at least one said user interface comprises a) a device of the type with a card reader or magnetic card in which the user code is stored and equipped with a terminal for typing the password, or b) Γ interface or screen of a website with which the user interacts to enter the user code and password. 19) Identification system according to claim 17 or 18, characterized by the fact that said at least one device associated with the user such as to receive said at least one dynamic part of the password is a mobile phone, i.e. a portable phone capable of wireless communication. 20) Identification system according to claim 17, 18 or 19, characterized by the fact that said at least one user interface is associated with wireless communication means according to a local network with a reduced range of action, such as preferably a bluetooth or wifi network; said means allow to detect a portable device of the user to which to send via said local network, being equipped with similar means of communication, said at least a dynamic part of the password and any other communications, preferably advertising or information messages- you.