Skip to main content

Anomalous Login Detection

How to set up and use impossible-travel detection to flag suspicious logins.

Written by Daisy Akinbo

Anomalous login detection, often called "impossible travel," flags sign-ins that come from two locations too far apart to be reached in the time between them. For example, a login from Durham, North Carolina followed 30 minutes later by a login from Singapore is not physically possible, so Warrant flags the second login as suspicious.

This adds a layer of protection on top of Warrant's existing controls, including account lockout, multi-factor authentication, and API rate limiting, and helps catch account compromise even when an attacker has valid credentials.

This guide explains how the feature works, what your users will experience, and how to configure it.

How It Works

On every sign-in, Warrant records the approximate geographic location (derived from the IP address) and the time of the login. When the same user signs in again, Warrant compares the new location and time against the previous session and calculates whether the trip between them is feasible. If the implied travel speed exceeds the configured limit, the login is treated as impossible travel.

A few logins are never flagged:

  • A user's first login

  • Logins from a nearby or local area

  • Logins where a location cannot be reliably determined

Configure Detection Mode

Anomalous login detection is managed by super admins.

  1. In the left sidebar, open Company Settings

  2. Select the Security section

  3. Choose a detection mode:

  • Off – Detection is not evaluated. No events or alerts are generated.

  • Auto-detect – Flagged logins are recorded and your security team is alerted, but users are not challenged or blocked.

  • Enforce – Flagged logins are actively challenged or blocked.

  1. Optionally adjust the travel-speed threshold that defines "impossible." The default is 600 mph, roughly commercial flight speed. Lowering it makes detection stricter. Raising it reduces flags for users who travel frequently by air.

  2. Save your changes

Only super admins can view or change these settings.

What Users Experience

Most users will never notice this feature. Normal travel, consistently used VPNs, and everyday logins will not trip it.

When a login is flagged under Enforce mode, the result depends on how the user signs in:

  • Password login – The user is asked to complete an email verification check. After completing the link sent to their email, the login finishes normally.

  • Single sign-on (Google or Microsoft) – The flagged login is denied and the user is returned to the login page.

A flag is usually caused by a recent flight, a VPN that changed the user's apparent location, or a sign-in from a new country. Completing the email verification, or contacting an administrator, resolves it.

Reduce False Flags

A few common situations can flag a legitimate login. To minimize disruption:

  • Ask users on VPNs to keep a consistent region rather than switching exit locations mid-session

  • Expect that long-distance air travel can briefly flag a login right after landing. The email verification step under Enforce is designed to handle this smoothly.

  • Start in Auto-detect mode if your team travels internationally often, so you can observe activity and tune the threshold before turning on Enforce

Federated Users

If your organization uses an identity provider such as Okta or Microsoft Entra ID, that provider may already perform its own impossible-travel detection for federated sign-ins. Warrant's detection works alongside it and additionally covers users who sign in directly to Warrant, so all of your users are protected regardless of how they authenticate.

Did this answer your question?