A device includes a memory and a processor. The processor is to execute the instruction to: receive, from a user device, a username of a user and a string; retrieve a first Message Authentication Code (MAC) and a salt from a database in response to receiving the username and the string; send the first MAC, the salt, and one or more parameters to a Hardware Security Module (HSM); receive, from the HSM, a message indicating whether the first MAC matches a second MAC that the HSM generates based on the one or more parameters and the salt. In addition, the processor to perform one of: authenticate the user when the message indicates that the first MAC matches the second MAC; or not authenticate the user when the message indicates that the first MAC does not match the second MAC.