I built a prototype device so I could make very long password entry easier, the device just used bluetooth to a mobile app, but the magic took place in a leonardo chip that spoke HID over usb. This allowed me to replay a sequence of keys to unlock a workstation.
I never went into the rubber ducky use case, but effectively any key sequence you would have to invoke to infect a system can also be replayed.
The article is here REF:http://www.blogsploit.co.uk/2018/01/project-bluepass-easy-password-entry.html
With you, keeping secrets on phone is neat. Just that personally i do find it more convenient to swipe card to login just as natural to opening the office locked doors
Also agree with you smartphones give better versatility. While attempting to add TOTP feature, the dilemma between giving up the name card holder form factor to add RTC chip and coin cell battery holder, or some unholy powershell script was a hard choice. I ended up succumbed to the easier scripting solution to feed the MCU with a timestamp via serial. With a smartphone talking bluetooth, TOTP should be a piece of cake.