What if you did something like (using the example from the article) A value which shares no bytes in common with the secret digest will return immediately; a value which shares the first 15 bytes will return 15 compares later.
You keep track of the time while doing the comparison, then before spitting back the result you feed the amount of time to a separate function that will sleep (or whatever) a certain amount of predetermined time so that all results process in the same time.
I realize this is a bit excessive, and will slow down your code quite a bit, but if you are really that worried about this type of attack, why not?
You don't really need to. You can guarantee that the right HMAC and the wrong HMAC both take exactly the same amount of time to compare by using a constant-time algorithm like the one in the article without dealing with non-portable, unreliable timers.
(In some languages—hi Ruby!—you might not even have access to reliable millisecond-resolution timing.)
You keep track of the time while doing the comparison, then before spitting back the result you feed the amount of time to a separate function that will sleep (or whatever) a certain amount of predetermined time so that all results process in the same time.
I realize this is a bit excessive, and will slow down your code quite a bit, but if you are really that worried about this type of attack, why not?