We need to know a ballpark figure of how reliable this “impossible travel” detection is. There are a few legitimate use cases that could lead to false-positives in this detection, for example VPN usage or a user switching between WIFI and mobile data and other possible causes like unreliable ip-location databases.
What is the confidence that Auth0 has in this feature, can you tell us an expected false-positive rate? And would you recommend using it as a signal for custom application logic like user notifications or even account login blocks?
Unfortunately, the Engineering team does not have these type of metrics. It is possible to use just one of the assessors. Our recommendation is that the different Adapative MFA assessors:
should be used in conjunction with each other as they help to build a better picture.