A geovelocity check is a real-time calculation that measures the speed required to travel between two geolocated events—such as logins, transactions, or access requests—to determine if the movement is physically possible. By dividing the distance between two geographic coordinates by the elapsed time between events, the system computes an implied velocity. If this velocity exceeds a predefined threshold (e.g., supersonic speeds), the event is flagged as an impossible travel anomaly, a core indicator of account takeover or credential theft.
Glossary
Geovelocity Checks

What is Geovelocity Checks?
A real-time security calculation that determines the speed required to travel between two geolocated digital events to assess if the movement is physically possible.
Geovelocity checks are a foundational component of risk-based authentication and continuous authentication frameworks, operating alongside device fingerprinting and behavioral biometrics. The mechanism relies on accurate IP geolocation data and precise timestamp correlation across distributed systems. To reduce false positives, advanced implementations incorporate confidence radii for IP locations and account for legitimate high-speed proxies like corporate VPNs, ensuring that a user flying on a commercial airliner is not incorrectly blocked while a session hijacker is intercepted.
Key Characteristics of Geovelocity Checks
Geovelocity checks form the mathematical backbone of impossible travel detection, calculating the physical speed required to traverse between two geolocated events to determine if the movement violates the laws of physics.
Haversine Distance Calculation
The foundational geometric formula that computes the great-circle distance between two latitude/longitude coordinate pairs on a sphere. Unlike simple Euclidean distance, the haversine formula accounts for the Earth's curvature, providing accurate kilometer-level measurements essential for calculating the minimum travel distance between login events. This calculation ignores terrain and infrastructure, representing the absolute theoretical minimum path.
Velocity Calculation Engine
The core computation divides the haversine distance by the time delta between two sequential events to derive a required speed. This speed is compared against a configurable threshold, typically the maximum speed of commercial aviation (approx. 900-1,000 km/h). The engine must account for clock synchronization issues, timezone offsets, and network latency to avoid false positives caused by timestamp inaccuracies rather than genuine fraud.
Contextual Threshold Tuning
Static speed limits generate high false positive rates. Advanced geovelocity engines implement contextual thresholding that dynamically adjusts acceptable speeds based on:
- User tier: VIP travelers vs. local-only accounts
- Historical patterns: Frequent flyers have higher baseline velocities
- Event type: Login vs. high-value transaction vs. password change This prevents locking out legitimate business travelers while maintaining strict checks on sensitive actions.
Multi-Factor Correlation
Geovelocity is rarely used in isolation. A true impossible travel detection system correlates velocity anomalies with other signals:
- Device fingerprint mismatch: Same credentials, new device
- Behavioral biometric drift: Typing cadence or mouse dynamics change
- IP reputation: Known proxy, VPN, or TOR exit node
- Time-of-day anomalies: Access at 3 AM local time This correlation transforms a single velocity flag into a high-confidence account takeover score.
Edge Case Handling
Production systems must gracefully handle scenarios that break naive velocity calculations:
- VPN/Proxy passthrough: Apparent location is the exit node, not the user
- GPS spoofing: Injected fake coordinates from emulators
- Missing location data: Fallback to IP geolocation when GPS is unavailable
- Multi-device sessions: Legitimate user on phone and laptop simultaneously Robust implementations degrade gracefully, assigning lower confidence scores when location data quality is poor.
Real-Time Enforcement Actions
The output of a geovelocity check feeds directly into a risk-based authentication engine that triggers proportional responses:
- Low risk: Silent logging for future analysis
- Medium risk: Step-up authentication (MFA challenge, biometric verification)
- High risk: Session termination and account lockout
- Critical risk: Real-time alert to SOC analysts This graduated response model balances security with user experience, avoiding blanket denials for borderline velocity calculations.
Frequently Asked Questions
Clear, technical answers to the most common questions about geovelocity checks, impossible travel logic, and the real-time calculation of physical movement feasibility in fraud detection systems.
A geovelocity check is a real-time security calculation that measures the speed required to travel between two geolocated events to determine if the movement is physically possible. The system timestamps two successive events—such as a login, transaction, or access request—extracts their latitude and longitude coordinates, calculates the great-circle distance between them, and divides that distance by the elapsed time. If the computed velocity exceeds a predefined threshold (commonly 500-600 mph for commercial air travel), the event is flagged as impossible travel. This check operates as a core component of rule-based fraud engines and is often combined with device fingerprinting and behavioral biometrics to suppress false positives caused by legitimate VPN usage or mobile network tower triangulation errors.
Real-World Applications
Geovelocity checks are a critical real-time defense against account takeover, applying the laws of physics to digital authentication. The following scenarios illustrate how the calculation of required travel speed between two events triggers automated risk responses.
Account Takeover (ATO) Prevention
The primary application of geovelocity checks is blocking credential-stuffed logins. If a user authenticates from New York and a second login attempt originates from London 15 minutes later, the required speed exceeds Mach 5. The system calculates the impossible travel flag and triggers a step-up authentication challenge or hard block, neutralizing the attack before the fraudster accesses the account.
Payment Fraud Interception
Card-not-present (CNP) transactions are validated against the cardholder's last known physical location. A point-of-sale transaction in Chicago followed by an e-commerce purchase claiming a billing address in Manila within 30 minutes generates a velocity anomaly. The fraud scoring engine integrates this impossible travel signal to decline the transaction before authorization, preventing financial loss in real-time.
Session Hijacking Mitigation
Active session tokens are continuously validated against geolocation. If a session established in Tokyo suddenly presents a new IP geolocated in Lagos without a plausible travel interval, the session fingerprint is invalidated. This passive check detects session hijacking and cookie theft instantly, forcing a re-authentication to restore the connection.
VPN & Proxy Correlation
Geovelocity checks are correlated with VPN detection and TOR detection signals. A login from a known VPN exit node in Amsterdam, immediately following a physical card-present transaction in Sydney, confirms the anonymized connection is being used for fraud. The combination of impossible travel and anonymizing service flags creates a high-confidence risk score.
Credential Stuffing Bot Mitigation
Large-scale credential stuffing attacks distribute login attempts across global botnets. Geovelocity checks analyze the sequential timing of failed logins across the distributed IP addresses. If the same credentials are attempted from five different continents within a 60-second window, the velocity check identifies the botnet pattern and blacklists the credential pair, protecting all accounts in the database.
Adaptive Risk-Based Authentication
Geovelocity is a core input into Risk-Based Authentication (RBA) engines. Rather than a binary block, the impossible travel score adjusts the authentication requirement dynamically. A low-risk anomaly might trigger a silent push notification, while a physically impossible jump forces a hardware token challenge, balancing security with user experience based on the calculated travel speed.
Geovelocity Checks vs. Related Techniques
A comparison of geovelocity checks against other session and location-based anomaly detection techniques used in fraud prevention.
| Feature | Geovelocity Checks | Impossible Travel | Device Fingerprinting |
|---|---|---|---|
Primary Signal | Time-distance physics calculation | Logical rule based on geovelocity output | Device attribute hash and consistency |
Real-Time Capable | |||
Requires Historical Data | |||
Detects Credential Stuffing | |||
Detects Session Hijacking | |||
False Positive Rate | 0.1-0.5% | 0.3-1.0% | 0.5-2.0% |
Computational Overhead | Low (< 5ms) | Low (< 1ms) | Medium (10-50ms) |
VPN/TOR Evasion Resistance | High | High | Low |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and detection mechanisms that work in concert with geovelocity checks to form a comprehensive impossible travel and location-based fraud prevention strategy.
VPN Detection
The process of identifying traffic originating from a Virtual Private Network by cross-referencing IP addresses against known VPN exit node databases and analyzing network stack artifacts. VPNs mask a user's true geolocation, which can defeat naive geovelocity checks. Advanced detection examines TCP/IP fingerprinting, DNS leak analysis, and latency triangulation to unmask anonymized connections.
- Data Sources: Commercial IP intelligence feeds (MaxMind, IP2Location)
- Artifacts: Mismatched timezone vs. browser locale, WebRTC leaks
- Integration: VPN score feeds directly into risk-based authentication engines
Risk-Based Authentication (RBA)
An adaptive security framework that dynamically adjusts authentication requirements based on a real-time risk score. Geovelocity violations contribute a high-risk signal to the RBA engine. If the calculated travel speed is implausible, the system may step-up authentication to require a one-time password, biometric verification, or outright block the session.
- Input Signals: Geovelocity, device fingerprint, behavioral biometrics, IP reputation
- Actions: Allow, step-up MFA, block, or initiate silent verification
- Goal: Balance security with user friction
Session Hijacking Detection
The identification of an attack where a valid user session is compromised, typically through stolen session cookies or tokens. Geovelocity checks are critical here: an abrupt change in the geolocation of an existing, authenticated session—without a corresponding login event—is a strong signal of session hijacking. The system detects a spatial discontinuity that violates physical travel constraints.
- Signal: Session origin shifts from Chicago to Moscow within seconds
- Response: Invalidate session token, force re-authentication
- Complement: Combine with device fingerprint delta checks
TOR Detection
The identification of traffic routed through The Onion Router anonymity network by checking IP addresses against public TOR exit node lists. TOR exit nodes frequently rotate and can appear globally distributed, causing legitimate users to exhibit impossible travel patterns. Detection allows the system to adjust geovelocity thresholds or apply stricter verification for TOR-originated sessions.
- Data Source: Public TOR exit node list (https://check.torproject.org)
- Challenge: High false-positive rate for privacy-conscious legitimate users
- Strategy: Flag as high-risk rather than outright block
Device Fingerprinting
A passive identification technique that collects a multitude of attributes from a remote computing device to generate a unique identifier. When paired with geovelocity, device fingerprinting provides corroborating evidence: if the geovelocity check flags an impossible travel event, but the device fingerprint matches the user's known device, the risk score may be moderated. Conversely, a new device plus impossible travel is a critical alert.
- Attributes: Browser version, OS, installed fonts, screen resolution, canvas hash
- Correlation: Same device + impossible travel = possible VPN usage
- Correlation: New device + impossible travel = likely account takeover

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us