Impossible traveller

Coro reviews a user's cloud application sign-ins for evidence of unauthorized access or potential account compromise. If you have configured an Impossible traveler threat detection policy, Coro observes the geographic location of each user's successful sign-in attempts. Coro compares each sign-in to previous successful sign-ins over a 24 hour period to determine if the user can realistically travel between locations in the time available.

For example, if a sign-in takes place at 09:00GMT in London, United Kingdom, and the next sign-in takes place at 09:15GMT in Cape Town, South Africa, a person cannot realistically have traveled between the two locations in 15 minutes. Therefore, one of the sign-ins is potentially fraudulent and might be evidence of a compromised account.

Coro uses best estimates of the fastest form of transport between two locations, including a travel preparation buffer, to determine the minimum viable travel time. Coro then compares the total travel time to the duration between events.

Where the calculated travel time exceeds the sign-in timespan, Coro raises an Impossible traveler ticket to alert admin users:

Each ticket presents an aggregation of all Impossible traveler events for a protected user in a 24 hour period, showing the number of times the incident occurred (Event happened) and a list of all incident details (Full details).

Select the dropdown for an incident record to view details of the locations and times involved:

To learn about ticket actions, see Impossible traveler.