The way I see it, you should indeed use something like a WiFi connection from the KeyDuino and keep all security aspects on it.
Because if the security is managed through the smartphone, whatever the url sends back you can reproduce it with anything, so the door is not secured.
It depends if you need it for a "kinda secure door" or a real one
If you can use the connection from KeyDuino, you would probably need an HCE application on the phone, and something to check the identity on a server.
Or you can juste use an HCE application on your phone and write the expected response "hard" in the KeyDuino.