With the release of Gitea 1.16, support for U2F authentication was deprecated. U2F was never a formal standard and browsers might stop supporting the protocol in the near future. The implementation was changed to use WebAuthn, which is a W3C standard. This will also allow passwordless logins, with FIDO2 keys.
I use U2F security keys for Gitea, but these stopped working after the Gitea upgrade. Turns out you have to set the AppID in the app.ini configuration file. I added it, but this still didn't have the desired effect. After some more searching, I discovered you also have to set the "trusted facets".
[U2F]
APP_ID = https://example.com
TRUSTED_FACETS = https://example.com
The values have to contain the URL of the domain. I have Gitea installed in a subdirectory (https://example.com/gitea/), but using the complete link doesn't work.
Gitea recommended to re-register U2F keys, so I did. Hopefully this will keep working for some time, before I have to get new keys.
I'm glad I got this working again, because I find hardware keys easier to use than TOTP apps.