# What Is Facial Recognition? Biometric Verification and KVKK Guide

> Source: https://sukruyusufkaya.com/en/blog/yuz-tanima-nedir
> Updated: 2026-07-05T16:08:57.602Z
> Type: blog
> Category: yapay-zeka
**TLDR:** What is facial recognition? Facial recognition is a biometric verification technology that turns a human face in an image into a numerical signature and compares it with enrolled faces to establish identity. This guide: a clear definition, how it works, the difference from face detection, use types, security applications, the KVKK dimension, limits, and FAQs.

<tldr data-summary="[&quot;Facial recognition is a biometric verification technology that turns a face in an image into a numerical signature and compares it with enrolled faces to establish identity.&quot;,&quot;Two stages: face detection (finding the face in the image) and facial recognition (determining whose face it is).&quot;,&quot;Two modes: verification (1:1) and identification (1:N).&quot;,&quot;Most common uses: phone unlocking, border gates, payment approval, and security applications.&quot;,&quot;In Türkiye, facial data is special-category personal data under KVKK; explicit consent and secure storage are required.&quot;]" data-one-line="The short answer to what is facial recognition: a biometric verification technology that turns a face into a numerical signature and compares it with enrolled faces to establish identity."></tldr>

What is facial recognition? Facial recognition (turning a face into an identity decision) is a biometric verification technology that detects a human face in a camera image, converts the facial features into a numerical signature, and compares that signature with enrolled faces to establish identity. In short, facial recognition lets machines answer the question "whose face is this?".

A password can be forgotten, a card can be stolen; but your face is always with you. That is the core idea behind the answer to what facial recognition is: binding identity not to something a person carries but directly to their physical trait. This guide answers what facial recognition is, how it works, how it differs from face detection, which security applications use it, and why the KVKK dimension is critical.

<definition-box data-term="Facial Recognition" data-definition="A biometric verification technology that detects a human face in an image or video stream, converts the facial features into a numerical signature (template/embedding), and compares it with enrolled faces to establish identity. It relies on a person's physical trait rather than a password; it is used for authentication and security applications, and because facial data is personal data it is protected under KVKK." data-also="facial recognition, face recognition, facial recognition system, biometric face recognition"></definition-box>

## Why Does Facial Recognition Matter?

The classic ways of authentication — something you know (a password), something you have (a card) — are fragile: passwords leak, cards get copied. Biometric verification changes this equation; it binds identity to "something you are". Facial recognition is the most natural of these biometric methods because it is contactless and requires no special action: the user simply looks at the camera.

This convenience spread facial recognition rapidly from phone unlocking to border gates, from banking to retail. But the same convenience brings a serious responsibility: a face is an immutable identity. If you leak a password you can change it, but if your face template leaks you cannot "reset" it. That is why the risks of facial recognition technology, as much as its value, must be designed in from the very start.

From an enterprise perspective, the appeal of facial recognition is that it reduces friction: a customer can prove their identity without visiting a branch, without remembering a password, simply by looking at the camera. This speeds up many processes, from remote banking to online exam proctoring. But that speed can turn into a liability without a measurable security and compliance framework. The right question is not "should we use facial recognition?" but "in which process, with what safeguards, and on what legal basis should we use it?".

## How Does Facial Recognition Work?

Facial recognition is not a single magic step; it is the sum of several successive stages. Modern systems perform these stages with deep-learning-based computer vision models.

<howto-steps data-name="Steps of a facial recognition process" data-description="The core steps facial recognition follows from a camera image to an identity decision." data-steps="[{&quot;name&quot;:&quot;Face detection&quot;,&quot;text&quot;:&quot;The system finds whether and where a face exists in the image (face detection).&quot;},{&quot;name&quot;:&quot;Alignment and normalization&quot;,&quot;text&quot;:&quot;The face is rotated and scaled relative to reference points like eyes and nose; the effect of light and angle is reduced.&quot;},{&quot;name&quot;:&quot;Feature extraction&quot;,&quot;text&quot;:&quot;A neural network converts the face into a person-specific numerical signature (face embedding / template).&quot;},{&quot;name&quot;:&quot;Comparison and decision&quot;,&quot;text&quot;:&quot;This signature is compared with enrolled signatures via a similarity score, and a match is decided against a threshold.&quot;}]"></howto-steps>

The idea at the heart of the process is this: the face is stored not as a photo but as a sequence of numbers (an embedding) representing its meaning. Two faces being "the same person" means these two number sequences are close enough to each other. This approach also makes it easier to understand other AI architectures that use the same semantic representation; we cover this logic in more depth in the <a href="/en/blog/embedding-nedir">what is an embedding</a> and <a href="/en/blog/computer-vision-nedir">what is computer vision</a> guides.

## What Is the Difference Between Face Detection and Facial Recognition?

These two terms are often confused but do different jobs. Face detection finds whether and where a face exists in an image — your phone camera drawing a box around it is an example. Face detection does not ask for identity; it only says "there is a face here". Facial recognition goes a step further and answers "whose face is this?".

<comparison-table data-caption="Core differences between face detection and facial recognition" data-headers="[&quot;Dimension&quot;,&quot;Face Detection&quot;,&quot;Facial Recognition&quot;]" data-rows="[{&quot;feature&quot;:&quot;Question asked&quot;,&quot;values&quot;:[&quot;Is there a face, and where?&quot;,&quot;Whose face is this?&quot;]},{&quot;feature&quot;:&quot;Output&quot;,&quot;values&quot;:[&quot;Face location (box)&quot;,&quot;Identity / match decision&quot;]},{&quot;feature&quot;:&quot;Personal data&quot;,&quot;values&quot;:[&quot;Usually anonymous&quot;,&quot;Directly tied to identity&quot;]},{&quot;feature&quot;:&quot;KVKK risk&quot;,&quot;values&quot;:[&quot;Low&quot;,&quot;High (special-category data)&quot;]},{&quot;feature&quot;:&quot;Example&quot;,&quot;values&quot;:[&quot;Focus box in camera&quot;,&quot;Unlocking a phone&quot;]}]"></comparison-table>

This distinction is critical in practice: face detection alone usually carries low privacy risk because it recognizes no one. Facial recognition, being directly tied to identity, brings a far heavier responsibility both technically and legally. Whether a system does only face detection or true facial recognition is the first question of a KVKK assessment.

## Types of Facial Recognition: Verification and Identification

Facial recognition works in two core modes, and confusing them is a common mistake. The first is verification (1:1): the system compares the presented face with a single enrolled face and answers "is this person who they claim to be?". Your phone unlocking is in this mode — the phone already knows who you "claim" to be and merely verifies it.

The second is identification (1:N): the system compares the presented face with many faces in a database and answers "who is this person?". Matching against a watchlist at an airport is an example. Identification is far more sensitive for privacy because it allows a person's identity to be established in a crowd without their consent. The distinction between these two modes sits at the center of both security applications design and the KVKK dimension assessment.

## Where Is Facial Recognition Used? Security Applications and Sector Examples

Facial recognition is used today in a much wider range than expected. The most visible use is smartphone face unlock (for example Apple Face ID); this is followed by identity verification during remote customer onboarding in banking apps. Automated passport gates at airports use facial recognition for border security.

Security applications are the most controversial but most widespread area of this technology: building access control, staff attendance tracking, stadium and event security, and suspect detection. There are also trials of face-instead-of-checkout payment approval in retail and patient-identity matching in healthcare. In Türkiye, remote identity verification processes in e-government and banking are among the leading areas that use facial recognition together with liveness detection. The common thread in every scenario is this: the more powerful the technology, the more robust the surrounding security applications and KVKK controls must be.

## How Is Facial Recognition Data Stored?

The most misunderstood aspect of facial recognition systems is the assumption that "a photo of my face is sitting somewhere". A well-designed system does not store the raw photo; it converts the face into an irreversible numerical template (embedding) and keeps only that template. Reconstructing a face photo from the template is practically impossible; this is the first and most important engineering decision for protecting privacy.

That said, the template itself is also personal data, because it can be linked to an identity. That is why templates must be stored encrypted, their access logged, and, where possible, kept on-device and never sent to a server. A phone's face-unlock feature storing the template in a secure hardware enclave, never leaving the device, is a good example of this. Templates gathered in a central database, on the other hand, form both a stronger target and a larger KVKK dimension risk. The right storage architecture is often more decisive than the model's accuracy in facial recognition projects.

## Facial Recognition and the KVKK Dimension

In Türkiye, the most critical aspect of facial recognition is the KVKK dimension. Law No. 6698 (KVKK) classifies biometric data — and therefore facial data — as "special-category personal data". This means it is subject to a far heavier protection regime than ordinary personal data: as a rule it cannot be processed without the data subject's explicit consent or an exceptional legal ground foreseen in law.

<callout-box data-variant="warning" data-title="Facial data is an irreversible identity">

You can change a leaked password; you cannot change a leaked face template. That is why purpose limitation, data minimization, encrypted storage, and access control are not optional but mandatory in facial recognition systems. A facial recognition process without consent or exceeding its purpose means high risk and administrative fines under the KVKK dimension.

</callout-box>

In practice the KVKK dimension requires: a clear and understandable privacy notice, collecting only the necessary data, storing data encrypted and with limited access, and, where possible, keeping irreversible templates instead of raw images. We cover KVKK's general framework in the <a href="/en/blog/kvkk-nedir">what is KVKK</a> guide and compliant system design in the <a href="/en/blog/kvkk-uyumlu-yapay-zeka-nedir">what is KVKK-compliant AI</a> guide; the <a href="/en/blog/gdpr-nedir">what is GDPR</a> guide is also instructive for similar principles.

## Facial Recognition and Its Relationship with Deepfakes and Spoofing

Facial recognition's biggest technical weakness is that it can be fooled. A simple photo, a video played on a screen, or an AI-generated <a href="/en/blog/deepfake-nedir">deepfake</a> can deceive a system without liveness detection. This attack is called a "presentation attack" and is the main real-world risk.

Against this, modern facial recognition solutions add a liveness detection layer: it tests whether the presented face belongs to a live human or to a photo/screen/mask. Blink, head movement, skin-texture analysis, and depth sensing are used for this purpose. In an age where generative AI makes deepfake production easy, liveness and anti-spoofing detection are no longer an optional add-on to facial recognition but an inseparable part of it. It is useful to read this threat-defense balance together with the <a href="/en/blog/uretken-yapay-zeka-nedir">what is generative AI</a> and <a href="/en/blog/yapay-zeka-nedir">what is AI</a> guides.

## The Limits and Common Mistakes of Facial Recognition

Facial recognition is powerful but not flawless. Every system makes two kinds of error: false acceptance (mistaking a stranger for an authorized person) and false rejection (failing to recognize an authorized person). A threshold balances these two errors; raising the threshold increases security but also raises the risk of rejecting legitimate users.

Beyond this, an important limit is the bias problem: under-representation of certain demographic groups in the training data can lower accuracy for those groups. Light, angle, aging, makeup, glasses, and masks also affect accuracy. That is why in high-risk security applications facial recognition should not be used alone but together with a second verification factor and human oversight. Ignoring the limits of the technology makes even the most expensive system unreliable; that is why the responsible answer to what facial recognition is includes its limits as much as its capabilities.

## Frequently Asked Questions

### Are facial recognition and face detection the same thing?

No. Face detection only finds whether and where a face exists in an image; it does not say whose it is. Facial recognition converts the detected face into a numerical signature and compares it with enrolled faces to establish identity. Face detection is the first step of facial recognition.

### Is facial recognition a secure biometric verification method?

When set up correctly it is strong, because a face cannot be forgotten or shared like a password. But since it can be fooled by a photo, video, or mask, liveness detection is essential. Light, angle, and camera quality also affect accuracy; that is why high-security applications usually combine it with a second factor.

### Is facial recognition legal under KVKK?

Facial data is special-category personal data under KVKK. As a rule, processing it requires the data subject's explicit consent or an exceptional legal ground foreseen in law. Purpose limitation, data minimization, secure storage, and a duty to inform are also required. Using facial recognition without these conditions is unlawful and can lead to administrative fines.

### How accurate is facial recognition?

Under controlled conditions (good light, frontal image) accuracy is very high; but angle, light, aging, masks, and low camera quality raise the error rate. Systems make two kinds of error: false acceptance (mistaking someone else as a match) and false rejection (failing to recognize the right person). A threshold balances these two errors.

### What is the relationship between facial recognition and deepfakes?

A deepfake is an AI-generated fake face image or video; it can be used to fool facial recognition systems. That is why modern facial recognition solutions include liveness and anti-spoofing layers that test whether the presented face is real and live.

## In Short: What Is Facial Recognition?

In short, the answer to what facial recognition is: a biometric verification technology that turns a human face in an image into a numerical signature and compares it with enrolled faces to establish identity. It starts with face detection, works in verification (1:1) and identification (1:N) modes, and is used in security applications from phone unlocking to border gates. Because facial data is special-category personal data in Türkiye, the KVKK dimension must be at the center of every design. For the basics see the <a href="/en/blog/computer-vision-nedir">what is computer vision</a> and <a href="/en/blog/yapay-zeka-nedir">what is AI</a> guides, and for a KVKK-compliant enterprise facial recognition solution start with <a href="/en/consulting">AI consulting</a>.

<!-- INTERNAL LINK DEBT: /en/blog/canlilik-tespiti-nedir, /en/blog/biyometrik-veri-nedir, /en/blog/yapay-zeka-onyargisi-nedir once published. -->