What is two-factor authentication and why should I use it?
Identity (online and elsewhere) is confirmed using either something you know (a password), something you have (a mobile phone, a physical token), or something you are (a fingerprint, an iris or voice scan). The principle of defense in depth suggests the use of multi-factor authentication. So, even if you are using unique passwords with high entropy (for instance, generated with and stored in a password manager), for accounts of high value to you (such as your main Google, Twitter, GitHub/GitLab, Dropbox or Facebook account), you should consider adding another layer of protection by configuring these services to use more than one method of authentication.
What is FIDO U2F/CTAP1 and why should I use it?
Universal 2nd Factor (U2F) is an open authentication standard supplying an authentication factor in the category of "things that you have" in form of a physical token that connects to your computing device via USB or NFC. Compared to time-based one-time (TOTP) password generators such as Google Authenticator or Authy (also "things that you have" by virtue of being apps on your mobile phone), U2F offers two main advantages:
a) convenience of inserting a USB device and simply pressing a button (over unlocking your phone and copying a token manually). It is a similar experience to using a house or car key.
b) phishing protection: whereas a scam/MITM site can immediately use your password + TOTP combination, with U2F phishing is prevented by virtue of its challenge-response design involving the original site, transport layer security and the browser. Here is one blog post explaining this.
Of course, the third "thing that you have" authentication factor of SMS codes is even more insecure.
Compared to the category of "things that you are" such as fingerprints, U2F offers privacy and revocability.
With the upcoming FIDO2 protocol, U2F is now sometimes referred to synonymously as CTAP1.
What is U2F Zero and why should I buy one?
To quote its creator: U2F Zero is a secure and open source 2 factor authentication token, designed to be affordable and reliable. You can find a lot of information on its official web site and GitHub repository, in particular the wiki and issues sections. Compared to the industry leader, Yubikey, the U2F Zero token is fully open source. Compared to another popular open source option, NitroKey (which reuses the U2F Zero implementation), the U2F Zero looks waaay cooler :p
Which operating systems and browsers is U2F Zero compatible with?
U2F Zero connects via USB-A to desktop or laptop PCs running Windows, macOS, Linux or ChromeOS. Chrome and Opera support U2F out of the box. With Firefox, you need to navigate to "about:config" and enable "security.webauth.u2f". Safari does not support U2F.
What about that Firefox bug?
Firefox Quantum surfaced a bug in the implementation of U2F Zero, it has since been fixed and we sell only the newer version that works with Firefox.
What about these Linux udev rules?
If your U2F Zero does not work with Linux out of the box, you need to add a udev rule so that Linux recognizes the device properly.
How many sites can I use U2F Zero with?
How stable is U2F Zero physically?
From personal experience, the button on the U2F Zero is its Achilles heel, in the sense that it can pop off. Hence we can not recommend carrying it unprotected in your pocket/on a keychain. We have not heard of any physical issues in stationary use.
What if I lose or break my U2F Zero?
You should not rely on a single method as your second factor. We suggest ordering a backup U2F Zero, and additionally storing backup codes offline or using some TOTP service that you trust.
A cool idea illustrating how neat open source is comes from one of our customers, Dmitry Frank: https://dmitryfrank.com/articles/backup_u2f_token. In that article, he describes how to "pre-clone" two U2F Zero tokens such that when you register one token on a site, the second one works automatically. It's like having two keys to your "security car"!
Does U2F Zero support Bluetooth or NFC? Is there a case? What about FIDO2?
No such luck, currently. Various projects are in Conor's pipeline however, so this answer will change.