Why HMAC Authentication is important for your Web API?

You might have heard of different authentication methods like Basic Authentication, 2 factor Authentication, OAuth(the most popular authentication for Web API), HMAC, etc. Despite having a lot a authentication method, why we need HMAC authentication for your Web API. In this article, we will try to understand it in detail.

HMAC stands for Hashed Key Method Authentication. Hash key makes this method more secure as you know that the hashing is irreversible and can only be validated by regenerating and comparing the hash.

In this method client sends the HMAC value in request and when server receives the request, server regenerates the HMAC using the same algorithm shared between client and server. Then it matches the two keys to validate the request.

With HMAC enabled on your API you can ensure two key things:
1. Data Integrity
2. Replay attack

How can we achieve data integrity?

Data Integrity ensures data consistency and accuracy in the entire life cycle. With HMAC enabled, if someone maliciously tries to manipulate any data in the request before it is received at the server, the complete Hash will change and the server will return HTTP status code 403 Forbidden.

What is Replay attack? How HMAC will help to prevent this?

Replay attack (playback attack) is the attack when attacker tries to replay or repeat the same request to your server or sometimes delays the request, with the HMAC implementation you would be able to prevent such an attack.

Next question is how? It all depends on the algorithm you have used to generate the hash, typically this can be handled by 2 key factor which could be a part of your algorithm i.e timestamp (most of the cases, EPOC time) and nonce (arbitrary generated string).

In my next article, I’m going to cover the detailed implementation and will share the algorithm to show how to implement it in Web API.

I hope this article has helped you understand the basic about Hashed method authentication. Stay tuned!