Impossible travel is a simple idea - if you can see that a person authenticates within a short time period from two locations so far apart that there’s no way they could be in the same place, bingo — impossible travel, which means at least one malicious authentication!
There are a few problems with this in practice.
- Complex rules (or a bit simpler code) will need to have the Haversine formula embedded1. Complexity increases maintenance cost.
- IP addresses don’t always correspond to a user’s physical location — often for benign reasons. Mobile network traffic often has IPs linked to the mobile provider offices, not the actual location of the cell towers. Users can even remotely log into their computer in London while in Sydney, for example.
- Geolocation data (associating an IP address to a location on Earth) is 99% accurate for country-level data, but far less so for state- or city-level data. This can drastically skew location results for large countries, which creates a lot of false positives for this alert.
In fact, a few years ago, Microsoft decided that their impossible travel rule was actually better as a “behavior”, a type of security event or signal - not an operational alert. If Microsoft is yielding this technique, perhaps we should all follow suit.