The HMAC algorithm is current best practice for message authentication.
SHA-2 is current best practice for hashing and approved by FIPS and other authorities.
The security of HMAC is dependent on a sufficiently large key value. Glance currently assigns a 128 bit random API key, but a larger key can easily be assigned to any Glance customer.
In the case that a Login Key is generated with an erroneously long expiration, the customer's API key can be updated to invalidate any outstanding keys. This is mitigated somewhat by limiting how far in the future expiration will be allowed.
There is no nonce value in the key that prevents replay attacks. This is because the mechanism is designed to be stateless. The expiration timestamp mitigates this potential concern. The Login Key should be sent over a secure connection. The Login Key is sent between the Glance user (session host or co-browse agent) and Glance. It is not sent to the end guest/visitor.
The Login Key is intended as a password replacement, not for signing an entire command. It does not include the Session Key and other parameters including display, forward/reverse, and remote control requested.
There is no three-party authentication as in OAuth. Currently, the usage is for customers or partners to generate their own keys for their own users, using their own API Key.