What the signal measures
Impossible travel (velocity checks) compares the geolocation of successive authentication events with the elapsed time. If implied travel speed exceeds plausible thresholds, the session is escalated for step-up authentication or review.
Enterprise context
IdP risk engines (Azure AD Identity Protection, Okta ThreatInsight, Google Workspace) combine IP reputation, device state, and travel models. SOC playbooks should document VPN and satellite link patterns that routinely trigger benign alerts.
False positives
Mobile users hopping countries on short flights, global VPN egress pools, and inaccurate geolocation databases can all flag “impossible” moves. MAC randomization and corporate split tunneling add noise—correlate with device ID and MFA signals.
How velocity is computed
Most engines geocode each IP to latitude/longitude, then compute great-circle distance d between successive logins and divide by elapsed time Δt to derive implied speed v = d / Δt. Thresholds are expressed in km/h or mph with hysteresis so border cases (airside Wi-Fi vs city center) do not flap. Some products weight ASN changes heavier than coarse country hops because satellite backhaul or anycast can shift apparent location without malicious intent.
Tuning for production
Document baseline VPN concentrator egress prefixes and mark them lower severity. Require corroboration (new device, impossible OS fingerprint change, impossible credential stuffing velocity) before step-up. Log raw IP, ASN, geohash precision, and IdP risk level in one row so analysts can replay decisions.
See geolocation accuracy limits and browser vs IP signals.
Review what IP your session is presenting when tuning rules.