Impossible travel is a security and fraud detection concept for identifying suspicious activity. It occurs when an account is accessed from two locations that are too far apart to travel between in the time elapsed between the access events.
For example, it would be impossible for someone to travel from London to San Francisco in one hour. So, two login attempts from both cities in the same hour could trigger an impossible travel flag.
You can calculate impossible travel by comparing the distance between two locations, often determined by IP address or GPS, by the time between access attempts. For example, if someone tries to log in to an account from London and San Francisco during the same hour, then that could trigger an impossible travel flag.
Impossible travel can be a risk signal, but it's not always a sign that the user is a bad actor. For example, a legitimate user might use and switch VPNs or access accounts via corporate proxy servers. The user also could be sharing account access with someone else, which might not be against a service's terms and conditions.
Impossible travel can be an important risk signal because it's associated with various types of fraud and social engineering. For example, it might indicate a bad actor hijacked a session, forgot to turn on a VPN or proxy, or stole login credentials.