ITUB20152662A1 - SYSTEM TO STORE, MANAGE AND USE A USER'S ACCESS CREDENTIALS - Google Patents

Description

DESCRIPTION

"SYSTEM FOR STORING, MANAGING AND USING A USER'S ACCESS CREDENTIALS"

TECHNICAL FIELD OF THE INVENTION

The present invention relates to a system for storing, managing and using, in a simple and secure way, a user's access credentials, such as user names, passwords, numeric or alphanumeric identification codes, as well as FINs of ATM cards and / or credit cards.

STATE OF THE ART

It is estimated that today, globally, cybercrimes involve losses in excess of $ 400 billion a year. It is also estimated that the annual number of victims of cybercrime is around 556 million, or more than 1.5 million per day, or 18 victims per second.

To date, the theft of access credentials to controlled access services / systems accessible via the web (ie via the internet), for example internet banking and social network services, most likely represents the most frequently perpetrated cybercrime, for example by means of of so-called phishing, web spoofing or keylogging techniques.

Therefore, nowadays there is a great need for systems that allow the access credentials (user names, passwords, FIN, identification codes, etc.) of users of controlled access services / systems accessible via the web to be protected and managed in a secure manner (which hereinafter they will be referred to simply as controlled access web services / systems).

Furthermore, in relation to the issue of managing access credentials, it should also be noted that each user is generally forced to manage a large number of credentials. In fact, for each controlled access web service / system it is generally necessary to create, store, update and use a respective set of access credentials (typically at least a respective user name and a respective password). All of this can lead to several problems. For example, a user may forget one or more of their login credentials or the place where they have written down / registered them. To limit this risk, many users use the same password to access different controlled access web services / systems, thus going against the most elementary IT security rules. Moreover, some users, in order to reduce the risk of forgetting their passwords, generate and, therefore, use very simple passwords so that they can be easily remembered. Unfortunately, however, very simple passwords are not very robust from the point of view of IT security. Furthermore, even if there are currently systems for storing passwords, these systems are still not used by many users (according to some statistics, even more than 90% of internet users do not use them), presumably because these systems are perceived as not easy to use.

Finally, it is important to draw attention to the fact that also the management of PINs ("Personal Identification Numbers", that is, in Italian, personal identification numbers) associated with debit and credit cards is generally affected by problems similar to those previously illustrated in relation to the management of access credentials to controlled access web services / systems.

OBJECT AND SUMMARY OF THE INVENTION

The purpose of the present invention is, therefore, to provide a system that allows, in general, to overcome, at least in part, the problems relating to the management of access credentials to controlled access web services / systems and, in particular, to protect and securely manage those credentials.

This and other purposes are achieved by the present invention as it relates to a system for storing, managing and using a user's access credentials, as defined in the attached claims.

In particular, the system according to the present invention comprises a mobile communication device which;

• is associated with a user;

• is configured to connect to, and communicate via, the Internet wirelessly; and

• is programmed to perform an authentication functionality that includes

prompt the user to enter a security code, e

check if the security code entered by the user is correct.

The system according to the present invention is configured to perform a storage and modification function of access credentials, which includes:

• execute, through the mobile communication device, said authentication function; and, • if the security code entered by the user is correct, allow the user to

memorize, on said system, one or more access credentials to be used to access a corresponding controlled access web service / system, in which the user's access credentials are stored on the system in encrypted form, and

modify access credentials previously stored on said system by said user. Furthermore, the system according to the present invention is configured to perform also an access functionality to controlled access web services / systems, which includes:

• execute, through the mobile communication device, said authentication function; And,

• if the security code entered by the user is correct, connect via the Internet and access a controlled access web service / system selected by the user using one or more corresponding access credentials stored by said user on said system.

Preferably, the system also comprises a portable security device and is configured to store in encrypted form the user's access credentials that correspond to the same web service / system when performing the function of storing and modifying access credentials. controlled access partially on the portable security device and partially on the mobile communication device.

More preferably, the portable security device and the mobile communication device are configured to communicate wirelessly via Near Field Communication technology, and the mobile communication device includes internal storage means and is programmed to:

• when performing the authentication function, communicate with the portable security device using Near Field Communication technology in order to check if the security code entered by the user is correct, - • when the user uses the storage and modification function of access credentials,

store in encrypted form, on the internal storage media, the user's first access credentials that correspond to a given service / web system with controlled access, and

communicating with the portable security device through Near Field Communicator technology in such a way as to store in encrypted form, on said portable security device, second user access credentials that correspond to said given service / web system with controlled access; and • when the user uses the access functionality to controlled access web services / systems,

retrieve, from the internal storage media, the user's first access credentials that correspond to the controlled access web service / system selected by the user, and

communicating with the portable security device through Near Field Communicator technology in such a way as to retrieve, from said portable security device, the user's second access credentials which correspond to said controlled access web service / system selected by the user. Alternatively, the mobile communication device includes internal storage means and is programmed for;

• memorize in encrypted form, on the internal storage means, a security reference code of the user;

• when performing the authentication function, compare the security code entered by the user with the reference security code stored on said internal storage means, thus checking if the security code entered by the user is correct, - • when the user uses the function of storing and modifying access credentials, store the user's access credentials in encrypted form on the internal storage media; And

• when the user uses the access functionality to controlled access web services / systems, retrieve, from the internal storage media, the user's access credentials that correspond to the controlled access web service / system selected by the user.

Conveniently, the mobile communication device is programmed to perform the function of storing and modifying access credentials and the functionality of accessing controlled access web services / systems.

Alternatively, the system also comprises a computer / laptop associated with the user and configured to connect to and communicate over the Internet; in this case, the mobile communication device is programmed to communicate with the computer / laptop via the Internet in such a way as to perform, in cooperation with said computer / laptop, the functionality of storing and modifying access credentials and the functionality of accessing controlled access web services / systems.

Preferably, the system is configured to also perform a personal identification number storage and modification functionality, which includes:

• execute, through the mobile communication device, the authentication function; And,

• If the security code entered by the user is correct, allow the user to

storing, on said system, one or more personal identification numbers associated with the user's ATM cards and / or credit cards, in which the user's personal identification numbers are stored on the system in an erupted form, and

modify personal identification numbers previously stored on said system by said user.

Furthermore, preferably, the mobile communication device comprises display means and is configured to also perform a display functionality which includes:

perform the authentication functionality; and, if the security code entered by the user is correct,

allow the user to select an access credential stored on said system or a personal identification number stored on said system, and display in a distorted way, through the display means of said mobile communication device, the access credential or the number of personal identification selected / or by the user.

Conveniently, the system comprises a plurality of mobile communication devices, each of which is associated with a respective user; said system being configured to perform also a delegation assignment function, which includes:

• perform the authentication function through a first mobile communication device associated with a first user; And

• if the security code entered by the first user is correct, allow said first user to assign a delegation to a second user of the system to use one or more specific access credentials of said first user.

Furthermore, conveniently, the system is configured to also perform a proxy revocation functionality, which includes:

• perform the authentication function via the first mobile communication device; And

• if the security code entered by the first user is correct, allow said first user to revoke the delegation assigned to the second user.

Finally, conveniently, the system is configured to allow said second user to use the access functionality to controlled access web services / systems on the basis of said / and specifies / which access credential / s of said first user.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of the present invention, some preferred embodiments, provided purely by way of non-limiting explanatory example, will now be illustrated with reference to the attached drawings (not to scale), in which:

Figure 1 schematically illustrates a system for storing, managing and using a user's access credentials according to a preferred embodiment of the present invention; And

Figures 2-8 schematically illustrate examples of procedures that can be carried out by means of the system of Figure 1.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION

The following description is provided to enable a person skilled in the art to make and use the invention. Various modifications to the presented embodiments will be immediately evident to skilled persons and the generic principles disclosed herein could be applied to other embodiments and applications without, however, thereby departing from the scope of protection of the present invention as defined in the attached claims.

Therefore, the present invention must not be understood as limited only to the embodiments described and shown, but must be granted the widest scope of protection consistent with the principles and characteristics presented here and defined in the attached claims.

The present invention relates to a system for storing, managing and using a user's access credentials. These access credentials are used to access controlled access web services / systems (for example internet banking services and social networks) and can conveniently include user names, passwords, FINs, numeric or alphanumeric identification codes, etc. .. Preferably, the system according to the present invention it can also be used to memorize, manage and use PINs associated with a user's ATM and credit cards.

For a better understanding of the present invention, Figure 1 schematically illustrates a system (indicated as a whole with 1) according to a preferred embodiment of the present invention.

In particular, system 1 includes:

• a portable security device 11, for example made in the form of a key ring, which is configured for

communicate wirelessly (i.e. wirelessly) using Near Field Communication (NFC) technology, e

memorizing, in encrypted (ie encrypted) form, a user's password for access to controlled access web services / systems 3 and, preferably, also one or more PINs associated with the ATM and / or credit cards of said user;

• a mobile communication device 12, conveniently a smartphone or tablet, which is configured to communicate wirelessly via Near Field Communication technology, configured to connect to, and communicate through, a cellular network (for example via UMTS, LTE, LTE Advanced, etc.),

configured to connect to and communicate through the Internet network (in Figure 1 indicated as a whole with 2) wirelessly (for example via GPRS, EDGE, HSPA, UMTS, LTE, LTE Advanced, Wi-Fi, WiMAX technology, etc.), possibly through one or more local networks (domestic, corporate, public, private, etc.) based on Internet Protocol (IP), and

provided with a predefined software application for the use of system 1;

• a computer 13, fixed or portable (ie a so-called laptop), that is

configured to connect to Internet 2, possibly through one or more local networks (domestic, corporate, public, private, etc.) based on IP protocol, and equipped with a web browser (or browser), i.e. a software program for navigation web; and

• a website or web portal 14 designed to allow the use of the system 1.

The mobile communication device 12, while using the system 1, communicates with the portable security device 11 by means of NFC technology. Furthermore, the mobile communication device 12, during the use of the system 1, also communicates with the computer 13. In this regard, however, it should be noted that said mobile communication device 12 and said portable safety device 11 communicate directly with each other by means of technology. NFC, while the communications between said mobile communication device 12 and said computer 13 actually take place through the Internet network 2 (for this reason the bidirectional arrow that in Figure 1 connects the mobile communication device 12 and the computer 13 has been drawn dashed).

The portable security device 11 is designed to store, that is to store, in encrypted form and, therefore, in a secure manner, the passwords and, preferably, also the FINs of a user, allowing them to be recovered at any time and in any place without others can read them.

More generally, the system 1 allows a user to use, at any time and in any place, their credentials for access to controlled access web services / systems 3 and, preferably, also the FINs of their ATM cards and / or credit, avoiding the theft and reading by malicious people.

In particular, the use of system 1 is based on the use of a single security code, which in the following will be called, for simplicity of description, PUC, an acronym that stands for "PinPeasy Unlock Code", that is the PinPeasy unlock code. , where PinPeasy is the commercial name assigned by the Applicant to the portable security device 11.

In detail, thanks to the use of a single security code, i.e. the aforementioned PUC, a user can:

• store on system 1, in encrypted form and, therefore, in a secure manner, all their credentials for access to respective web services / systems with controlled access 3;

• securely manage all their access credentials, in particular by storing new ones on system 1 and modifying or deleting those previously stored; and

• use respective web services / systems with controlled access 3 in a secure manner, in particular without an attacker being able to steal their access credentials.

Furthermore, thanks to the use of the PUC, a user can, preferably, also:

• store on system 1, in encrypted form and, therefore, in a secure manner, the FINs of one's debit and / or credit cards;

• manage their own FINs in a secure manner, in particular by storing new ones on system 1 and modifying or deleting those previously stored; And

• read their PINs without an attacker being able to read them in turn.

Therefore, thanks to the use of system 1, a user will have to keep in mind only his own PUC, without having to remember all the different access credentials and / or the various PINs.

As regards the issue of safety, it is important to underline the fact that system 1 has been designed by the Applicant in such a way as to satisfy very stringent safety requirements. In particular, the passwords (and possibly also the PINs) are stored in encrypted form (using predefined encryption algorithms) on the portable security device 11, while the other credentials and, conveniently, also other access information (for example web addresses to access the various controlled access web services / systems 3) are stored, again in encrypted form, on the mobile communication device 12. Conveniently, during the use of the system 1, the passwords (and, possibly, also the other access credentials) remain invisible in such a way as to further increase the security of the system 1. Preferably, the portable security device 11 is designed in such a way as to be intrinsically protected against cloning. Finally, it is worth underlining the fact that the system 1 guarantees a multi-level security, for example, from the architectural point of view, a four-level security (portable security device 11, mobile communication device 12, computer 13 , PUC).

Preferably, the system 1 is equipped with a password generator configured to allow a user to generate passwords which satisfy predefined security requirements. These passwords can, therefore, also be very complicated in order to be very secure, while avoiding the need for the user to remember them (as explained above, thanks to the use of the PUC). Conveniently, the password generator can be realized by means of a password generation function implemented by the aforementioned predefined software application which is installed on the mobile communication device 12 for the use of the system 1.

Preferably, the mobile communication device 12 comprises display means (for example a screen) and the predefined software application installed on said mobile communication device 12 for the use of the system 1 comprises an access credentials and PIN display functionality which allows to display in a distorted way, on said display means, access credentials, in particular a password, or a PIN so that the displayed credentials (in particular the displayed password) or the displayed PIN are / are only legible by the user who is using the mobile communication device 12. For example, said access credentials and PIN display functionality can conveniently use distorted characters, different fonts, non-homogeneous backgrounds, etc., in a similar way for display to what happens with the so-called CAPTCHA tests. The access credentials and PIN display functionality can conveniently be used by a user to protect a password or PIN from prying eyes, for example when the user wants to withdraw cash from an ATM using an ATM card or credit.

Preferably, the system 1 also allows a user to:

• delegate the use of your credentials to other people without them being able to know these credentials;

• monitor the use of their credentials made by the delegated persons; And

• revoke the proxies previously assigned.

Conveniently, the system 1 also allows a user to:

• manage, in a guided way, the backup of their access credentials;

• choose where to store the backup data;

• store their passwords and, if necessary, also their PINs on various portable security devices 11; And

• block the use of a respective portable safety device 11 (for example because it has been lost).

For a better understanding of the operation of the system 1, Figures 2-8 schematically illustrate examples of procedures that can be carried out by means of the system 1 in the case, respectively, of:

• first use of system 1 by a user; • login of a user to use system 1; • memorization of a user's access credentials;

• modification of previously stored credentials; • use of controlled access web services / systems 3;

• activation of a proxy; and

• use of the aforementioned display of access and FIN credentials.

In particular, Figure 2 shows an example of the registration procedure for a new user who has decided to use system 1. As shown in Figure 2, this registration procedure requires the new user to download and install on his / her communication device mobile 12, for example a smartphone or tablet, the default software application for using system 1 (block 101). Once installation has been carried out, said software application requests the user to enter the telephone number of the mobile communication device 12 (block 102). Conveniently, the telephone number is dialed by the user through user interface means of said mobile communication device 12 (for example a touch screen). The telephone number is then sent via the Internet network 2 to the server hosting ('' hosting ") the website / web portal 14 of the system 1 and said server checks the telephone number received (block 103), for example by Sending an SMS containing a verification code to the mobile communication device 12. If the verification of the telephone number (block 103) is unsuccessful, the procedure ends (block 110). If, on the other hand, the verification (block 103) is successful, the software application asks the user to enter further information (block 104), for example personal data, e-mail address, etc. Subsequently, the software application guides the user in creating the PUC (block 105), preferably by means of the aforementioned password generation function which allows the generation of passwords that satisfy predefined security requirements. Subsequently, the mobile communication device 12 connects to the portable device of s security 11 through NFC technology and an initialization procedure of said portable security device 11 based on the PUC created by the user (block 106) is performed. Conveniently, the initialization procedure (block 106) ends with the storage in encrypted form of the PUC on the portable security device 11. Then said device 11 confirms to the software application of the mobile communication device 12 that the PUC has been registered (block 107). Said software application therefore informs the hosting server of the web site / portal 14 of the registration and said server confirms the registration of the new user (block 108), for example by sending an e-mail message to the latter. At this point the software application installed on the mobile communication device 12 concludes the registration of the new user (block 109) and in this way ends the registration procedure (block 110).

Each user, once registered using the procedure shown in Figure 2, can then use system 1. In particular, whenever a registered user wishes to use system 1, said user must perform a login procedure, i.e. a authentication procedure, based on the PUC. In this regard, Figure 3 illustrates an example of a login procedure which requires the user to use the browser of his computer 13, fixed or portable, to connect via the Internet network 2 to the website / web portal 14 (block 201), The hosting server of the website / web portal 14 therefore requests the telephone number of the user's mobile communication device 12 (block 202) and the latter types this number by means of the user interface of said computer 13 (block 203) , for example via a computer keyboard 13. Once the telephone number has been communicated to the hosting server of the website / web portal 14, said server searches for the mobile communication device 12 associated with this telephone number (block 204), after which sends, via the Internet network 2, to the mobile communication device 12 associated with the telephone number one or more commands which activate the software application installed on said device 12 (block 205). Once said software application has been activated, the user inserts his own PUC (block 206) which is then compared with the one stored on the portable safety device 11 to verify its correctness (block 207). If the verification of the PUC (block 207) fails, the user is again prompted to enter his / her PUC (block 206). If, on the other hand, the verification of the PUC (block 207) is successful, the mobile communication device 12 sends to the hosting server of the website / web portal 14, via the Internet network 2, respective IP connection parameters (block 208), for example the IP address of said mobile communication device 12, and the server forwards these IP connection parameters to the computer 13 again via the Internet network 2 (block 209). Once the IP connection parameters of the mobile communication device 12 (block 210) have been received, the computer 13 can begin to communicate directly with said device 12 through the Internet network 2, without the need for the intermediation of the site hosting server. / web portal 14. In particular, once the IP connection parameters of the mobile communication device 12 (block 210) have been received, the computer 13 requests from said device 12 the list of controlled access web services / systems 3 to which it is registered user (block 211). Said mobile communication device 12 then sends said list (block 212) to the computer 13 and, once the computer has received said list (block 213), the login procedure ends (block 214).

Figure 4, on the other hand, shows an example of a procedure for storing a user's new login credentials. In particular, as illustrated in Figure 4, this procedure for storing new credentials provides, first of all, the execution of the login procedure (block 301) shown in Figure 3 and previously described. Subsequently, the user requests, by means of the computer 13, the storage of a new credential (block 302) and enters the name of the relative service, the respective web address (or access link), his username and, if necessary , also of the notes (block 303). The insertion of the password and / or the FIN takes place, on the other hand, by means of the mobile communication device 12 (block 304). Once the password and / or the FIN (block 304) has been entered, the user can confirm or not the storage of the new credential (block 305) via the mobile communication device 12. If the user confirms the storage of the new credential ( block 305), the password and / or the FIN are stored in erupted form on the portable security device 11 (block 306), while the name of the new service, the respective access link, the user name and any notes are stored in form erupted on the mobile communication device 12 (block 307), after which the memorization procedure of the new credential ends (block 308). If, on the other hand, the user does not confirm the memorization of the new credential (block 305), the procedure is terminated (block 308) without memorizing said new credential.

Figure 5 shows an example of a procedure for modifying a previously stored credential. As shown in Figure 5, this procedure provides, first of all, the execution of the login procedure (block 401) shown in Figure 3 and previously described. Subsequently, the user selects, by means of the computer 13, a credential to be modified (block 402) and modifies the name of the relative service and / or the respective web address (or access link) and / or his username and / or related notes (block 403). The confirmation or modification of the password and / or the FIN takes place, on the other hand, by means of the mobile communication device 12 (block 404). After that, the user can confirm or not the modification of the credential (block 405) through the mobile communication device 12. If the user confirms the modification of the credential (block 405), the modified data are updated, again by means of an erupted memorization , on the portable security device 11 (block 406, if the modification concerns the password and / or the FIN) and / or on the mobile communication device 12 (block 407, if the modification concerns the name of the service, the access link, the user name and / or any notes), after which the credential modification procedure ends (block 408). If, on the other hand, the user does not confirm the modification (block 405), the credential modification procedure is terminated (block 408) without any modification of the stored data.

On the other hand, as regards access to controlled access web services / systems 3 through system 1, Figure 6 illustrates an example of a procedure for accessing a web service, for example an internet banking service. As shown in Figure 6, this procedure provides, first of all, the execution of the login procedure (block 501) shown in Figure 3 and previously described. Subsequently, the user selects, by means of the computer 13, an access credential to be used (block 502) and requests to access the web service associated with the selected credential (block 503). Subsequently, the software application of the mobile communication device 12 connects the latter, via NFC technology, to the portable security device 11 (block 504) to read the password and / or the FIN which are associated with the selected credential and are stored on said portable safety device 11 (block 505). Thereafter, the mobile communication device 12 transmits to the computer 13, via the Internet network 2, preferably in an erupted form, the name of the service, the access link, the user name and any notes stored on said mobile communication device 12 and the password and / or FIN recovered from the portable security device 11. Finally, the computer 13 accesses the web service (block 507) by means of the data received from the mobile communication device 12, after which the access procedure ends ( block 508).

Based on what has been described so far, system 1 is equipped with an authentication function based on the use of the PUC which, once performed, allows a user to use the other functions of system 1, in particular the functions for adding / modifying / delete login credentials and to access controlled access web services / systems without having to type in either username or password.

For example, if a user wants to access an internet banking service or a social network, he can connect, through the browser of his laptop, to the website / web portal 14 and enter his telephone number. At this point, the user's smartphone, after activating the specific software application, requests the insertion of the PUC. Once the correctness of the PUC has been verified with respect to the one stored on the portable safety device 11, in addition to the functional menu, the list of services previously registered by the user becomes available on a sidebar of the browser. It is therefore sufficient to choose the service you want to access by clicking on it, after which the browser is automatically redirected to the page associated with the requested service and the access credentials are entered in a guided or automatic way without having to type them in any case.

As regards, instead, the assignment of proxies within the system 1, Figure 7 illustrates an example of a procedure for activating a proxy by a delegating user, who uses the aforementioned portable security device 11, the said mobile communication device 12 and said computer 13, towards a delegated user who uses a portable security device 11BIS and a mobile communication device 12BIS designed to operate in the same way as, respectively, said portable security device 11 and said mobile communication device 12. As shown in Figure 7, this procedure first of all provides for the execution, by the delegating user, of the login procedure (block 601) shown in Figure 3 and previously described. Subsequently, the delegating user selects, by means of the computer 13, an access credential which must be delegated (block 602) and types and / or selects the telephone number of the delegated user (block 603). Once the telephone number has been communicated to the hosting server of the website / web portal 14, said server searches for the mobile communication device 12BIS associated with this telephone number (block 604), after which it signals, via the Internet network 2, to the device mobile communication 12BIS activation of a delegation by the delegating user towards the delegated user. Subsequently, the mobile communication device 12BIS of the delegated user sends to the mobile communication device 12 of the delegating user, via the Internet network 2, respective IP connection parameters (block 605). The mobile communication device 12 of the delegating user, once it has received the IP connection parameters of the mobile communication device 12BIS of the delegating user (block 606), reads and encodes, by means of one or more predefined encryption algorithms , all information (access link, user name, password, possible PIN, any notes, etc.) which are stored on said mobile communication device 12 and on the portable security device 11 of said delegating user and which are relative, i.e. associated with the selected credential (blocks 607 and 608), after which it sends such coded information, via the Internet network 2, to the mobile communication device 12BIS of the delegated user (block 609). Once said device 12BIS has received the encoded information from the mobile communication device 12 of the delegating user (block 610), it decodes and stores this information on said device 12BIS and on the portable security device 11BIS of the delegated user, in particular the login link, username, any notes, etc. on said device 12BIS and the password and / or FIN on said device 11BIS (blocks 611 and 612). Thereafter said device 12BIS sends to device 12, through the Internet network 2, a notification of successful delegation (block 613) and, once said device 12 has received this notification (block 614), the procedure ends (block 615).

The procedure for revoking a proxy is, mutatis mutandis, similar to that for activating a proxy shown in Figure 7 and just described. Therefore, in order not to overburden this discussion, this procedure for revoking a proxy is not described in detail, nor is it shown in the figures.

Finally, as regards the aforementioned display of access and FIN credentials, Figure 8 illustrates an example of a procedure for using this functionality. In particular, as illustrated in Figure 8, this procedure provides, first of all, the execution of the login procedure (block 701) shown in Figure 3 and previously described. Subsequently, the user selects, by means of the mobile communication device 12, a credential to be displayed (block 702). Then the software application of the mobile communication device 12 connects the latter, via NFC technology, to the portable security device 11 (block 703) to read the password and / or the FIN associated with the selected credential (block 704). After that, the mobile communication device 12 also reads the access link, the username, any notes, etc. stored on said mobile communication device 12 (block 705). Finally, said device 12 displays, on respective display means (for example a screen), the information read (block 706). In particular, the information is displayed in a distorted way in such a way as to be readable only by the user who is using said mobile communication device 12. For example, said device 12 can conveniently use, for displaying, distorted characters, different fonts, non-homogeneous backgrounds, etc., similar to what happens with the so-called CAPTCHA tests, After which the procedure ends (block 707).

According to a first alternative embodiment of the present invention, the system 1 does not require the presence or use of the computer 13. In fact, according to said first alternative embodiment of the present invention, a user can directly and only use a smartphone or a tablet 12 and the portable security device 11 in order to use the functions of authentication, storage / modification / deletion of access credentials, access to controlled access web services / systems 3, assignment / removal of proxies and display of access credentials and FINs. Furthermore, according to a second alternative embodiment of the present invention, the system 1 could also not require the presence or use of the portable security device 11. In this case, the passwords and FINs would also be stored directly on the mobile communication device 12.

From the foregoing description the innumerable advantages of the present invention are immediately evident,

In particular, it is important to underline the fact that the present invention allows to protect and manage in a simple and safe way the access credentials of a user to controlled access web services / systems.

In detail, the present invention allows to generate very complex and, therefore, very robust passwords, avoiding, however, the user having to remember them.

Moreover, the present invention protects the access credentials of a user from thefts perpetrated by means of phishing, web spoofing or keylogging techniques and allows assigning and revoking proxies to third parties.

Furthermore, the present invention guarantees maximum security in making online purchases even on computers shared with others, as happens, for example, in internet points and libraries.

Finally, it should be noted that the present invention can be used both for personal use and for professional or business use.

In conclusion, it is clear that various modifications can be made to the present invention, all falling within the scope of protection of the invention as defined in the attached claims.

Claims (15)

CLAIMS 1. System (1) for storing, managing and using a user's access credentials, said system comprising a mobile communication device (12) which: • is associated with a user; • is configured to connect to, and communicate via, the Internet (2) wirelessly; and • is programmed to perform an authentication functionality that includes prompt the user to enter a security code, e check if the security code entered by the user is correct; where the system (1) is configured to perform a logon credential storage and modification functionality, which includes: • execute, through the mobile communication device (12), said authentication function; And, • If the security code entered by the user is correct, allow the user to store, on said system (1), one or more access credentials to be used to access a corresponding controlled access web service / system (3), in which the user's access credentials are stored on the system (1) in encrypted form, e modifying access credentials previously stored on said system (1) by said user; and in which the system (1) is configured to perform also an access functionality to controlled access web services / systems (3), which includes: • execute, through the mobile communication device (12), said authentication function; And, • if the security code entered by the user is correct, connect via the Internet (2) and access a web service / system with controlled access (3) selected by the user using one or more corresponding access credentials stored by said user on said system (1). The system of claim 1, further comprising a portable safety device (11); and in which the system (1) is configured to, when it performs the function of storing and modifying access credentials, to store in encrypted form the user's access credentials that correspond to the same controlled access web service / system (3 ) partially on the portable safety device (11) and partially on the mobile communication device (12). The system of claim 2, wherein the portable security device (11) and the mobile communication device (12) are configured to communicate wirelessly through Near Field Communication technology; and wherein the mobile communication device (12) includes internal storage means and is programmed to: • when performing the authentication function, communicate with the portable security device (11) using Near Field Communication technology in order to check if the security code entered by the user is correct; • when the user uses the functionality of storing and modifying access credentials, store in an erupted form, on the internal storage media, the user's first access credentials that correspond to a given controlled access web service / system (3), and communicate with the portable security device (11) through Near Field Communication technology in such a way as to store in encrypted form, on said portable security device (11), the user's second access credentials that correspond to said given service / web system with controlled access (3); And, • when the user uses the access functionality to controlled access web services / systems (3), retrieve, from the internal storage media, the user's first access credentials that correspond to the controlled access web service / system (3) selected by the user, and communicate with the portable security device (11) through Near Field Communication technology in such a way as to retrieve, from said portable security device (11), the user's second access credentials that correspond to said controlled access web service / system ( 3) selected by the user. The system of claim 3, wherein the portable security device (11) is configured to store in encrypted form a user reference security code, and wherein the mobile communication device (12) is programmed to , when performing the authentication function, communicate with the portable security device (11) via Near Field Communication technology in such a way as to compare the security code entered by the user with the reference security code stored on said portable security device (11), thus checking if the security code entered by the user is correct. The system of claim 1, wherein the mobile communication device (12) includes internal storage means and is programmed to: • memorize in encrypted form, on the internal storage means, a security code of reference of the user; • when performing the authentication function, comparing the security code entered by the user with the reference security code stored on said internal storage means, thus checking if the security code entered by the user is correct; • when the user uses the function of storing and modifying access credentials, store the user's access credentials in encrypted form on the internal storage media; and • when the user uses the access functionality to controlled access web services / systems (3), retrieve, from the internal storage media, the user's access credentials that correspond to the controlled access web service / system (3 ) selected by the user. The system according to any preceding claim, wherein the mobile communication device (12) is programmed to perform the functionality of storing and modifying access credentials and the functionality of accessing controlled access web services / systems (3) . The system according to any preceding claim, further comprising a computer / laptop (13) associated with the user and configured to connect to and communicate over the Internet (2); and wherein the mobile communication device (12) is programmed to communicate with the computer / laptop (13) via the Internet (2) in such a way as to perform, in cooperation with said computer / laptop (13), the storage functionality and modification of access credentials and access functionality to controlled access web services / systems (3). The system according to any preceding claim, configured to also perform a personal identification number storage and modification functionality, which includes: • execute, through the mobile communication device (12), the authentication function; And, if the security code entered by the user is correct, allow the user to store, on said system (1), one or more personal identification numbers associated with the user's ATM and / or credit cards, in which the user's personal identification numbers are stored on the system (1) in encrypted form , And modify personal identification numbers previously stored on said system (1) by said user; and wherein the mobile communication device (12) comprises display means and is configured to also perform a display functionality which includes: • perform the authentication function; and, • if the security code entered by the user is correct, allow the user to select an access credential stored on said system (1) or a personal identification number stored on said system (1), and display in a distorted way, through the display means of said mobile communication device (12 ), the access credential or the personal identification number selected by the user. The system of claim 8, further comprising a portable safety device (11); wherein the portable safety device (11) and the mobile communication device (12) are configured to communicate wirelessly through Near Field Communication technology; and in which the mobile communication device (12) is programmed to, when the user uses the functionality of storing and changing personal identification numbers, communicate with the portable security device (11) through Near Field Communication technology in such a way to be memorized in erupted form, on said portable safety device (11), the personal identification numbers of the user. The system according to claim 8, wherein the mobile communication device (12) includes internal storage means and is programmed to, when the user uses the personal identification number storage and modification functionality, store in erupted form , on said internal storage means, the personal identification numbers of the user. The system according to any preceding claim, comprising a plurality of mobile communication devices (12), each of which is associated with a respective user; said system being configured to perform also a delegation assignment function, which includes: • perform the authentication function through a first mobile communication device (12) associated with a first user; And • if the security code entered by the first user is correct, allowing said first user to assign a proxy to a second user of the system (1) to use one or more specific access credentials of said first user; where the system (1) is configured to also perform a proxy revocation functionality, which includes: • perform the authentication function through the first mobile communication device (12); And • if the security code entered by the first user is correct, allow said first user to revoke the delegation assigned to the second user; and in which the system (1) is configured for, as long as the delegation assigned by the first user to the second user is not revoked by said first user, to allow said second user to use the access functionality to controlled access web services / systems ( 3) on the basis of said specific access credential (s) of said first user. The system of claim 11, further comprising a plurality of portable safety devices (11), each of which is associated with a respective user; in which the portable security devices (11) and the mobile communication devices (12) are configured to communicate wirelessly using Near Field Communication technology; and wherein the first mobile communication device (12) associated with the first user includes first internal storage means and is programmed to: • when performing the authentication function, communicate, through Near Field Communication technology, with a first portable security device (11) associated with said first user in such a way as to check if the security code entered by said first user is correct; • when the first user uses the function of storing and modifying access credentials, store in encrypted form, on the first internal storage means, the first access credentials of said first user that correspond to a given controlled access web service / system (3), and communicate with the first portable security device (11) through Near Field Communication technology in such a way as to store in encrypted form, on said first portable security device (11), second access credentials of said first user which correspond to said given service / controlled access web system (3); • when the first user uses the access functionality to controlled access web services / systems (3), retrieve, from the first internal storage media, the first access credentials of said first user that correspond to the controlled access web service / system ( 3) selected by said first user, and communicate with the first portable security device (11) through Near Field Communication technology in such a way as to retrieve, from said first portable security device (11), the second access credentials of said first user which correspond to said controlled access web service / system (3) selected by said first user; and, • when the first user uses the delegation function, retrieve said specific access credential (s) of said first user from the first internal storage means and also from the first portable security device (11) by communicating with the latter via Near Field Communication technology, encrypt said / and specifies / which access credential / s retrieved / and thus obtaining encrypted information, and sending, via the Internet (2), said encrypted information to a second mobile communication device (12) which is associated with the second user; and wherein said second mobile communication device (12) includes second internal storage means and is programmed to: • when performing the authentication function, communicate, using Near Field Communication technology, with a second portable security device (11) associated with the second user in order to check if the security code entered by said second user is correct; • when the second user uses the functionality of storing and modifying access credentials, store in encrypted form, on the second internal storage means, the first access credentials of said second user that correspond to a given controlled access web service / system (3), and communicate with the second portable security device (11) through Near Field Communication technology in such a way as to store in encrypted form, on said second portable security device (11), second access credentials of said second user that correspond to said given service / controlled access web system (3); • when the second user uses the access functionality to controlled access web services / systems (3), recover, from the second internal storage means, first access credentials of said second user which correspond to the controlled access web service / system (3) selected by said second user, and communicate with the second portable security device (11) by means of technology Near Field Communication in such a way as to retrieve, from said second portable security device (11), second access credentials of said second user which correspond to said controlled access web service / system (3) selected by said second user; And, • when the first user uses the delegation function, receive, through the Internet (2), the encrypted information sent by the first mobile communication device (12), decrypt the encrypted information received from the first mobile communication device (12) thus obtaining the so-called specific access credential (s) of said first user, e storing in encrypted form said / and specifies / that the access credential / s of said first user partly on the second internal storage means and partly on the second portable security device (II) communicating with the latter through Near Field Communication technology. The system of claim 11, wherein the first mobile communication device (12) associated with the first user includes first internal storage means and is programmed to: storing in encrypted form, on the first internal storage means, a reference security code of the first user; • when performing the authentication function, comparing the security code entered by the first user with the reference security code stored on said first internal storage means, thus checking whether the security code entered by the first user is correct; • when the first user uses the function of storing and modifying access credentials, storing in encrypted form, on the first internal storage means, the access credentials of said first user; • when the first user uses the access functionality to controlled access web services / systems (3), retrieve, from the first internal storage means, the access credentials of said first user which correspond to the controlled access web service / system ( 3) selected by said first user; • when the first user uses the delegation function, retrieve said specific access credential (s) of said first user from the first internal storage means, encrypt said / and specifies / which access credential / s retrieved / and thus obtaining encrypted information, and sending, via the Internet (2), said encrypted information to a second mobile communication device (12) which is associated with the second user; and wherein said second mobile communication device (12) includes second internal storage means and is programmed for; • memorizing in erupted form, on the second internal storage means, a reference security code of the second user; • when performing the authentication function, comparing the security code entered by the second user with the reference security code stored on said second internal storage means, thus checking whether the security code entered by the second user is correct; • when the second user uses the function of storing and modifying access credentials, memorizing in an erupted form, on the second internal storage means, the access credentials of said second user; • when the second user uses the access functionality to controlled access web services / systems (3), retrieve, from the second internal storage means, the access credentials of said second user that correspond to the controlled access web service / system ( 3) selected by said second user; and, • when the first user uses the delegation function, receive, through the Internet (2), the encrypted information sent by the first mobile communication device (12), decrypt the encrypted information received from the first mobile communication device (12) thus obtaining the so-called specific access credential (s) of said first user, e storing in encrypted form said specific (s) access credential (s) of said first user on the second internal storage means. 14, IT product including software instructions which are: • executable from a mobile communication device configured to connect to and communicate over the Internet (2) wirelessly; And • such as to cause that, when executed, said mobile communication device becomes programmed as the mobile communication device (12) of the system (1) claimed in any preceding claim. Device configured as the portable safety device (11) of the system (1) claimed in any one of claims 2-4, 9 or 12.