Back to Blog
AI Engineering

Building a Real-Time Facial Recognition Attendance System: The Hard Parts

July 1, 2025
AI/MLTensorFlowNode.jsGDPRBiometrics

Building a Real-Time Facial Recognition Attendance System: The Hard Parts

Building a facial recognition demo is straightforward. Building one that works reliably in a 500-person office with varying lighting, masks, and glasses — and that passes a GDPR audit — is a different problem entirely.

The Stack

Node.js backend, OpenCV + TensorFlow for recognition, React frontend, Firebase for real-time sync. The model: a fine-tuned FaceNet with a custom anti-spoofing layer.

Hard Part 1: Anti-Spoofing

Our first version could be fooled by holding up a photo on a phone. We added a liveness detection step using a depth estimation model that checks for 3D facial structure. False positive rate dropped from 12% to 0.3%.

Hard Part 2: Low-Light Accuracy

The office entrance had inconsistent lighting. Accuracy dropped from 99.1% in good light to 87% in low light — unacceptable for an attendance system. Solution: histogram equalization as a preprocessing step, plus a confidence threshold that falls back to a PIN entry when confidence is below 92%.

Hard Part 3: GDPR-Compliant Biometric Storage

Biometric data is special category data under GDPR. We cannot store raw face images. Instead, we store only the 128-dimensional face embedding vector, encrypted at rest with AES-256. The original image is discarded immediately after embedding extraction. Deletion requests are handled by deleting the embedding — the original image never existed in storage.

Hard Part 4: Real-Time Sync at Scale

With 500 employees checking in within a 30-minute window, the Firebase real-time database was getting hammered. We batched attendance writes into 5-second windows and used Firebase transactions to prevent duplicate check-ins from rapid retries.

What I'd Change

I'd evaluate AWS Rekognition for the recognition layer earlier. The operational overhead of maintaining a custom TensorFlow model in production (retraining, versioning, serving infrastructure) is significant. For most use cases, a managed service is the right call.