Behavioral authentication is described. A mobile device records a first location of the mobile device. The mobile device records a second location of the mobile device. The mobile device determines whether a route from the first location to the second location matches an expected route. The mobile device generates an access-enabling token in response to a determination that the route from the first location to the second location matches the expected route. The mobile device enables access to an entity by a user of the mobile device based on the mobile device providing the access-enabling token to the entity.