Credentials are commonly stored in a database of some sort which may be compromised by a database dump or other access short of RCE/MITM. We can encrypt the shared secret in storage, but we still have to be able to recreate the entire secret verbatim.

@pdrakeweb proposed adding a traditional password to our application using HMAC which can be hashed and salted in the database and sent in a header signed by the HMAC using client. I'd like to take this further and propose it be included as part of our HMAC standard (optional or otherwise).

I believe this is superior to a time limited secret distribution system because it has less complexity and overhead and because the timed secret distribution system will then inherit the same vulnerabilities described before.

Client passwords are still vulnerable to being exposed wherever encryption (TLS) is terminated. Preventing this would probably not be possible without some sort of handshake which the spec specifically avoided: https://github.com/acquia/http-hmac-spec#why-not-just-use-http-digest