So NFC is just like a barcode in that it stores a unique number. Almost all Android phones have them. All iphone have them but only the latest few versions allow other Apps access to the NFC controller. Only Google tablets (i think) have an NFC reader. Its the same functionality as contactless cards and Applepay etc
The thing is cloning an NFC tag is as trivial as buying some off ebay and installing a suitable free app. The main safety feature is most people don’t know they can do this.
The most secure way is to use an App where they have to login with their personal gmail account. Then you use UserEmail() to pull that into the clock in/out record so you know who is who.
Some of the stuff we put in our timesheet systems - https://1minmanager.com/timesheets/