Is using HMAC signature as a long-term password secure?

Question

I'm considering implementing an authentication service without storing users' passwords/hash.

I want to use a key derivation function with a corresponding username and a master secret key to calculate the password of the user(user is actually a service). Then deliver the derived password to each user(service).

Something like using HMAC(secret_master_key, username) or PBKDF2(HMAC(secret_master_key, username)) as the long-term password for user. Or maybe some other algorithm should be more suitable for this scenario?

Is this way secure cryptographically? Thanks in advance.

Answer 1

As long as your master secret key is generated properly and protected properly, this should be fine. HMAC is widely believed to be a pseudorandom function. So, the output (i.e. the password = PRF(secret_master_key, username)) should be pseudorandom and has good entropy.