This HMAC should also be applied on the session.
And for performance reason, we should keep a cache of valid signature to avoid reading the secret key on the filesystem on each request.
Also we could make this feature a generic tool to sign any value in the database.
I followed this talk: https://talks.m4dz.net/crypto-pour-les-devs/#32
And the speaker advise to HMAC the password hash with a secret key to ensure that in case of SQL injection, replacing the hash and salt does not work.
The difficulty is to store the HMAC key in a secure way. The best is to use dedicated hardware but indeed by storing it just on the filesystem, it is already quiet effective. So I propose to have by default a way to HMAC using a secret on the filesystem and use the standard hmac module but the API must be generic enough to allow to use product like YubiHSM2 .