Skip to main content
Blog
Blog

What Is Impossible Travel Detection and How Does It Work?

Impossible travel detection flags sessions where location jumps faster than physically possible. Learn how it works and what the browser layer adds.

Jul 04, 2026 4 min read
What Is Impossible Travel Detection and How Does It Work?

Impossible travel detection identifies sessions where a user's location shifts faster than physically achievable. If an account logs in from London at 09:00 and then from Singapore at 09:15, the session is flagged: no direct flight covers that distance in 15 minutes. The signal is simple. What determines whether it is useful is how the system handles VPNs, shared infrastructure, real travelers, and AI agents reusing stolen tokens.

What counts as impossible travel

The core calculation is distance divided by time. If the required speed exceeds a reasonable threshold, typically around 800 km/h as a generous upper bound for commercial flight, the movement is flagged as physically implausible.

ScenarioDistanceTime gapSpeedVerdict
London to Paris340 km25 min816 km/hFlag
London to Manchester260 km40 min390 km/hNo flag
New York to London5,540 km2 hours2,770 km/hFlag
Same city, VPN change0 kminstant0 km/hNeeds context

Time is what separates this from simple geolocation. An account active in one place and then another an hour later might be a VPN switch, a mobile handoff, or a genuine traveler on a short flight. Speed resolves most ambiguity, but not all of it.

Where IP-only detection fails

Standard impossible travel logic compares two IP geolocations. That works when the IPs represent real geographic origin. It breaks in these situations:

  • VPN switches change the apparent location without any physical movement.
  • Residential proxies make attacker traffic look like it originates from a home connection near the target.
  • Shared corporate egress puts many users in one location regardless of where they physically are.
  • Mobile network roaming shifts IP country assignments as the carrier hands off cells.

False positives in these cases are expensive. A real user flagged while traveling, switching VPN servers, or connecting through a corporate network creates friction without catching an attacker.

What the browser layer adds

Device fingerprinting changes what "same user" means. Instead of asking whether the IP matches the expected location, you can ask whether the device matches the account's history, and whether the browser environment looks like a real user or an automation framework.

cside captures device intelligence from real visitors' browsers: 102+ signals including hardware fingerprint, rendering environment, automation tells, and VPN/proxy posture. Two logins from different cities may be a real traveler. The same two logins from different cities with a different device fingerprint and a residential proxy ASN is a different problem.

This combination catches what IP velocity alone misses:

  • VPN-masked travel: the IP stays in one city, but the device profile changes mid-session. That shift is not physical movement, but it is a trust break.
  • AI agent token reuse: an AI agent that picks up a stolen session token may replay it from a completely different geographic and network context. The location jump is immediate, and the device profile will not match the account's history.
  • Real session theft: a session cookie captured via a browser-layer attack and replayed by the attacker from a different country shows as impossible travel plus a sudden device fingerprint mismatch.

Impossible travel as one signal in a session model

Impossible travel is a useful flag, not a verdict. An account that triggers it should see a step-up authentication challenge, a forced re-authentication, or a hold on high-risk actions (payout, address change, payment-method update), not an immediate block. A real traveler who confirms their identity continues without friction. A credential-stuffing session that cannot clear the challenge gets stopped.

The right model layers the signal with device fingerprint drift, network reputation (VPN and proxy score, ASN type), behavioral continuity, and post-login action velocity. cside delivers all of these as session-risk signals via API, so your fraud logic can score the full context rather than reacting to location alone.

For how impossible travel fits into a broader account takeover prevention operating model, including session scoring and post-auth controls, see the full playbook.

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

Impossible travel is when an authenticated session appears to jump from one geographic location to another faster than physical movement allows. It is a signal used in account takeover detection: a login from London followed within minutes by a login from Singapore flags the second session for review, because no travel route connects the two cities in that time.

The basic calculation divides the geographic distance between two consecutive login locations by the time between them. If the resulting speed exceeds a threshold (typically around the maximum speed of commercial air travel, roughly 800 km/h), the second session is flagged. More advanced implementations also compare device fingerprints across sessions, because a location jump paired with a device change is stronger evidence of account misuse than location alone.

IP-only detection can be bypassed by a VPN. If an attacker uses an exit node near the victim's last known location, the apparent travel distance is small and nothing gets flagged. Device fingerprinting closes this gap: even if the attacker's VPN IP matches the expected region, browser-layer signals detect the mismatch between the new device profile and the account's fingerprint history.

It can generate false positives without context. Long-haul travelers and corporate VPN users will show location jumps when their VPN server assignment changes. Well-calibrated systems discount known-good scenarios: mobile network handoffs, corporate egress pools, and travel patterns consistent with the account's history. Pairing location velocity with device continuity reduces false positives considerably.

Velocity detection counts login attempts over time and flags high frequency. Impossible travel detection compares location pairs and flags physically implausible movement. They are complementary: velocity catches credential-stuffing campaigns; impossible travel catches session reuse and stolen-token replay across geographies.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo