Hash-based message authentication code (HMAC) provides the server and the client each with a public and private key. The public key is known, but the private key is known only to that specific server and that specific client. The client creates a unique HMAC, or hash, per request to the server by combing the request data and hashing that data, along with a private key and sending it as part of a request. The server receives the request and regenerates its own unique HMAC. The server compares the two HMACs, and, if they're equal, the client is trusted and the request is executed. This process is often called a secret handshake.
What makes HMAC more secure than Message Authentication Code (MAC) is that the key and the message are hashed in separate steps.
The spate of credit card breaches of major retailers demand more advanced cryptography standards to protect credit card holders. The Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt specific card holder information. Understanding the choice of encryption methods such as hashing, public-private key and others is a high priority towards ensuring retailers don’t get breached. Learn more about authentication, and get started by reading a primer on multifactor authentication in the enterprise. Then read our comparison of MFA tools to get the inside scoop on the product landscape.