* bcrypt can be easily adjusted at any time to increase the amount of work and thus provide protection against more powerful systems
* The nonce for the hmac value is designed to be stored on the file system and not in the databases storing the password hashes. In the event of a compromise of hash values due to SQL injection, the nonce will still be an unknown value since it would not be compromised from the file system. This significantly increases the complexity of brute forcing the compromised hashes considering both bcrypt and a large unknown nonce value
* The hmac operation is simply used as a secondary defense in the event their there is a future computational risk design weakness with bcrypt that could leak information about the password or aid an attacker
A sample of this code is here: https://github.com/fwenzel/django-sha2