Why double hash
Single hash vulnerable to length-extension attacks (SHA-2 based). Double hash + key masking eliminate.
Advertisement
Constant-time comparison
Verify HMAC via constant-time comparison. Timing attacks on == leak byte-by-byte match.
Advertisement
HMAC-SHA256
Most common instantiation. Used in JWT (HS256), API signatures (AWS SigV4), OAuth.
KMAC for SHA-3
SHA-3's sponge design doesn't need HMAC wrapping. KMAC is native SHA-3 MAC.