U2F (Universal 2nd Factor — déprécié)

U2F (Universal 2nd Factor) est le standard FIDO original (2014, FIDO Alliance) pour second factor authentication via hardware key (YubiKey, Google Titan). Successeur direct : FIDO2 (WebAuthn + CTAP2) qui ajoute support passwordless, mobile, et UX moderne. U2F maintenant officiellement deprecated en faveur FIDO2 mais encore utilisé certaines applications legacy.

Fonctionnement (similar to FIDO2 mais limited) :
(1) User logs in with password.
(2) Server prompts pour second factor.
(3) User touch hardware key.
(4) Key signs challenge avec stored private key spécifique au site.
(5) Server verifies signature → authenticated.

Protocoles : (1) **CTAP1** (originally U2F) — USB-HID protocol pour communicate with USB keys ; (2) **NFC** support ; (3) **BLE** support (less common).

Différences vs FIDO2 :
- U2F : 2FA only (always paired with password), no resident credentials, no biometric verification.
- FIDO2 : passwordless capable, resident credentials ("passkeys"), user verification (biometric/PIN), platform authenticators (Touch ID, Windows Hello).

Force U2F : (1) **Phishing-resistant** (origin binding) ; (2) **Hardware security** (private key non-exportable) ; (3) **Simple UX** (just touch).

Limitations : (1) **Requires hardware** key always (no platform authenticator support) ; (2) **No passwordless** (always paired password) ; (3) **No mobile** native (browser only originally) ; (4) **No user verification** (PIN/biometric).

U2F → FIDO2 migration : services qui supportaient U2F ont mostly upgraded to FIDO2. Hardware keys (YubiKey 4, 5, Google Titan) support both protocols seamlessly. Server-side need to migrate WebAuthn libraries.

Industry status : U2F officially deprecated, new implementations should use FIDO2/WebAuthn. Reste utilisé : (1) older deployments not yet migrated ; (2) compatibility legacy apps. Compétences SC-300, Security+, CISSP.