"Yes, HCE makes it less secure," says Zumerle. "When you remove hardware based security from the picture, that's always going to give attackers more ways to reach you."
Segmented devices, he explained, are the better solution. TIMA in Samsung's Knox security suite, for example, stores secure configuration volumes in a secure portion of the device's chip.
"During runtime, it compares the values of the secure section with the current values of the device, so if something changes, you can immediately kill the secure portion of the device," he says. "It's the same thing you can do with some access control or payment applications; if they've been tampered with, you can embed those controls and try to kill the application."
Some inherent risks still remain, however. After all, in a scenario with something like access control, there's nothing stopping attackers from just picking up an employee's phone -- in the event that it's lost or stolen -- and using it to swipe in.
"No, nothing prevents people from doing that," says Zumerle. "The device is enable to pair with the reader automatically. You would have to have some sort of combined set up; for example, no NFC if the device is locked. Some vendors do that, but it's at the expense of convenience. It all depends on how much risk an enterprise is willing to take."
Asrar adds that even though failsafes typically boil down to native security features of the platform (like device locking) they're often not implemented, so it's up to enterprises to roll out additional safety measures.
"A lot of people don't even have passcodes," says Asrar. "But there are additional wares out there like single sign on [for two-factor authentication] that can be tied into enterprises' deployments."
Ultimately, while both Zumerle and Asrar feel that there are certainly inherent risks, whether or not it's safe to use mobile devices for access control also depends on the context. As Zumerle points out, the practice forces people to rely on the hardware. But when they do that and want to account for the entire spectrum of mobile devices, it becomes more difficult since they are not all the same.
"Technically, if you have a solution that is set up with some security precautions, there are, today, the technological tools that make it so that it's something that enterprises could use," says Zumerle. "So yes, but it depends on the exact solution. Something well done can work, but you need to have the right measures in place. If you implement something that only works for a specific device or scenario -- like something that's good for a specific project -- and then you want to do something like BYOD, then it starts to get complicated."
Sign up for CIO Asia eNewsletters.