At this point we don't know of any attack against the request, however that is
not guaranteed to remain the case.
If we send the secret in plain text through the browser it likely will never
get IETF acceptance.
We use HMAC a fair bit already I don't think that would be a significant hurdle
Depending on the level of assurance that you might want to achieve, it
could have been a random string. That's how some of the existing but widely
deployed implementations are doing.
I have taken a step forward to do the hashing to give a little more
protection that even if a malware on the device
