Inferensys

Glossary

Impossible Travel

A geolocation-based security rule that flags a login attempt when the physical distance between two successive access points cannot be traversed in the elapsed time, indicating account takeover.
Knowledge engineer constructing knowledge base on laptop, document hierarchy visible, casual office setup.
GEOLOCATION ANOMALY DETECTION

What is Impossible Travel?

A security rule that flags authentication events when the physical distance between two successive login locations cannot be traversed in the elapsed time, indicating credential compromise.

Impossible travel is a geolocation-based security control that calculates the terrestrial distance between a user's current and previous login coordinates, then divides it by the time elapsed. If the required velocity exceeds physical possibility—typically the speed of commercial air travel—the system flags the event as a high-fidelity indicator of account takeover or credential theft.

Modern implementations enhance raw geovelocity checks with contextual signals like VPN detection, known airport IP ranges, and device fingerprinting to suppress false positives from legitimate rapid travel. When combined with risk-based authentication, an impossible travel flag triggers step-up challenges or session termination before the attacker can execute fraudulent transactions.

GEOLOCATION ANOMALY DETECTION

Key Characteristics of Impossible Travel Rules

Impossible travel rules are a cornerstone of account takeover detection, leveraging geolocation and time to flag physically impossible access patterns. The following characteristics define the technical architecture and logic that make these rules effective against credential-based attacks.

01

Geovelocity Calculation Engine

The core mathematical engine computes the great-circle distance between two successive login coordinates and divides it by the elapsed time to derive a required travel speed. If this speed exceeds a defined threshold—typically the maximum speed of commercial aviation (approx. 600 mph / 965 km/h)—the event is flagged. The engine must account for terrestrial constraints, rejecting straight-line paths that ignore ocean crossings or geopolitical no-fly zones. Advanced implementations incorporate a buffer for airport transit time and security screening.

02

Temporal Window Configuration

The time delta between Event A and Event B is the critical divisor in the velocity calculation. Configurations must be tuned to the organization's risk appetite:

  • Strict Window: A 1-hour threshold catches rapid, automated credential stuffing but may generate noise from mobile IP refreshes.
  • Relaxed Window: A 4-8 hour window accounts for legitimate long-haul flights but risks missing a takeover where the attacker waits.
  • Sliding Window: Analyzes the last N events rather than just the immediate predecessor to detect multi-hop attack patterns.
03

IP Geolocation Data Sources

The accuracy of an impossible travel rule is entirely dependent on the fidelity of its IP-to-location mapping. Common sources include:

  • Commercial GeoIP Databases: MaxMind, IP2Location, and NetAcuity offer varying precision at the city, postal code, and coordinate levels.
  • BGP and Latency Triangulation: Network-level data can validate commercial database claims by measuring round-trip time.
  • GPS/Wi-Fi Triangulation: For mobile applications, on-device location services provide high-confidence coordinates that bypass IP spoofing entirely. A robust system cross-references multiple signals to detect IP spoofing or VPN exit node usage.
04

Contextual Suppression Logic

To prevent false positives that disrupt legitimate users, rules require sophisticated exception handling:

  • Known VPN/Carrier NAT: Traffic from known VPN providers or mobile carrier gateways (which can geolocate to a central office far from the user) is suppressed or scored differently.
  • Trusted Device Recognition: If the new login originates from a previously device-fingerprinted and remembered browser, the risk score is reduced.
  • Multi-Factor Authentication (MFA) Status: A successful MFA challenge on the anomalous event can suppress the alert, treating the travel anomaly as a curiosity rather than a threat.
  • Airport Wi-Fi Networks: IP ranges associated with known airport networks can be whitelisted or given a higher velocity tolerance.
05

Velocity vs. Frequency Analysis

Impossible travel is a specific subset of velocity analysis. While impossible travel focuses on the physical impossibility of movement, frequency analysis detects a logical impossibility of usage:

  • Single-User Velocity: How many distinct accounts is a single IP accessing per minute? High velocity indicates a bot or shared attack infrastructure.
  • Single-Account Velocity: How many distinct IPs are accessing a single account per hour? This detects credential stuffing where a botnet distributes login attempts globally.
  • Hybrid Rules: Combining geovelocity with account/IP frequency creates a high-precision detection net that catches both targeted takeovers and broad brute-force attacks.
06

Post-Detection Automated Response

Upon flagging an impossible travel event, the system must execute a risk-based authentication (RBA) workflow:

  1. Step-Up Authentication: Prompt for a second factor (TOTP, push notification, hardware key) without revealing the reason.
  2. Session Termination: If the risk score is extreme, actively invalidate the session token on the anomalous access point.
  3. Administrative Hold: Place the account in a restricted state, preventing fund transfers or data exports until a manual review is completed.
  4. Threat Intelligence Ingestion: Feed the anomalous source IP and fingerprint into a blocklist for other security systems.
IMPOSSIBLE TRAVEL

Frequently Asked Questions

Clear, technically precise answers to the most common questions about impossible travel detection, geovelocity logic, and its role in account takeover prevention.

Impossible travel is a geolocation-based security rule that flags a login attempt when the physical distance between two successive access points cannot be traversed in the elapsed time, indicating account takeover (ATO) . The detection engine calculates the geovelocity—the speed required to move from point A to point B—and triggers an alert if that speed exceeds a defined threshold, such as 500 miles per hour. For example, a login from New York followed by a login from London 30 minutes later is physically impossible via commercial flight, signaling that a malicious actor has gained access using stolen credentials. This rule is a core component of risk-based authentication (RBA) frameworks and is often combined with device fingerprinting and behavioral biometrics to reduce false positives from legitimate VPN usage or corporate travel patterns.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.