Page "Hash-based message authentication code" Paragraph 52

The cryptographic strength of the HMAC depends upon the size of the secret key that is used.

The most common attack against HMACs is brute force to uncover the secret key.

HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.