Impossible Travel Detection
What is Impossible Travel Detection?
Impossible Travel DetectionA detection that flags successive sign-ins from geographic locations too far apart to be reached by any plausible travel within the elapsed time.
Impossible travel detection compares the IP-geolocated source of two successful authentications for the same identity and computes the implied travel speed. If user U signs in from New York at 09:00 UTC and then from Singapore at 10:30 UTC, the implied speed is far above commercial aviation and the second event is treated as suspicious. Microsoft Entra ID, Okta ThreatInsight, Google Workspace, and most SIEMs ship a built-in 'atypical travel' or 'unusual location' analytic, typically combined with VPN and Tor-exit reputation lists to avoid false positives. The signal alone is rarely conclusive — modern playbooks use it to trigger step-up authentication or session revocation, often documented in MITRE ATT&CK technique T1078 (Valid Accounts).
● Examples
- 01
Entra ID risky sign-in raising 'atypical travel' when the same account logs in from Paris and Sao Paulo within 30 minutes.
- 02
An Okta ThreatInsight policy revoking sessions when geo-velocity exceeds 800 km/h.
● Frequently asked questions
What is Impossible Travel Detection?
A detection that flags successive sign-ins from geographic locations too far apart to be reached by any plausible travel within the elapsed time. It belongs to the Identity & Access category of cybersecurity.
What does Impossible Travel Detection mean?
A detection that flags successive sign-ins from geographic locations too far apart to be reached by any plausible travel within the elapsed time.
How does Impossible Travel Detection work?
Impossible travel detection compares the IP-geolocated source of two successful authentications for the same identity and computes the implied travel speed. If user U signs in from New York at 09:00 UTC and then from Singapore at 10:30 UTC, the implied speed is far above commercial aviation and the second event is treated as suspicious. Microsoft Entra ID, Okta ThreatInsight, Google Workspace, and most SIEMs ship a built-in 'atypical travel' or 'unusual location' analytic, typically combined with VPN and Tor-exit reputation lists to avoid false positives. The signal alone is rarely conclusive — modern playbooks use it to trigger step-up authentication or session revocation, often documented in MITRE ATT&CK technique T1078 (Valid Accounts).
How do you defend against Impossible Travel Detection?
Defences for Impossible Travel Detection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Impossible Travel Detection?
Common alternative names include: Atypical travel, Geo-velocity anomaly, Superman travel.
● Related terms
- identity-access№ 015
Adaptive Authentication
An authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior.
- identity-access№ 940
Risk-Based Authentication (RBA)
An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
- identity-access№ 1103
Step-Up Authentication
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
- attacks№ 010
Account Takeover (ATO)
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
- defense-ops№ 1189
UEBA (User and Entity Behavior Analytics)
A detection technology that profiles normal behavior of users and entities, then surfaces statistical or machine-learning anomalies that may indicate compromise or insider risk.