Stopping compromised access at login is essential, but identity risk doesn’t end there. CrowdStrike acquired SGNL to further elevate Falcon Next-Gen Identity Security.Authentication becomes an intelligence-driven decision. FalconID evaluates risk signals related to identity, endpoint, and SaaS security, as well as active threat detections and our own adversary intelligence. Over time, Falcon Next-Gen Identity Security continuously enforces access as risk signals change. If risk changes, access decisions can be re-evaluated and privileges reduced or revoked mid-session.
The attack surface has shifted to browsers, SaaS applications, and AI tools. Identity is the connective tissue across every workload and workflow. As adversaries exploit valid sessions, hijack tokens, and abuse legitimate privileges to remain hidden, organizations need to ensure access is only granted to employees who need it.
This is why we built CrowdStrike Falcon® Next-Gen Identity Security: to unify comprehensive identity visibility, modern privileged access, identity threat detection and response (ITDR), and SaaS security on the AI-native Falcon platform. With FalconID now generally available, and the addition of continuous authorization from our acquisition of SGNL, Falcon Next-Gen Identity Security takes a major step forward.
FalconID: Security-First Authentication in the Falcon Platform
Older tools weren’t built to withstand these attacks. Traditional IAM and standalone MFA were designed to validate identity only at login. They lack visibility into broader security context, including compromised devices, adversary activity, SaaS misconfigurations, privilege abuse, and mid-session risk posture changes. These gaps are where modern identity attacks thrive.
When a user attempts to authenticate, FalconID ensures that:
FalconID is not a standalone MFA. It is integrated, security-first authentication delivered from the unified Falcon platform that strengthens the first control point in the identity attack chain.
Adversaries continue to use legitimate identities to infiltrate and navigate organizations while evading defenses. As they adopt AI, the scale and impact of social engineering and credential abuse are growing. AI-enhanced phishing, MFA fatigue, and session hijacking enable threat actors to bypass MFA. And adversaries are moving faster: The CrowdStrike 2026 Global Threat Report found the average eCrime breakout time has dropped to a record low of 29 minutes.
How it works
SGNL adds a universal enforcement layer that continuously evaluates access decisions across cloud, SaaS, and enterprise environments. Unlike legacy IAM systems that make a single “trust-once” decision at login, SGNL enables continuous, context-aware authorization.
- The authentication request is cryptographically bound to a legitimate domain.
- The user’s trusted device is physically present.
- Proximity validation prevents remote push abuse.
- The login attempt is evaluated against real-time risk signals from across the Falcon platform.
With SGNL, standing privileges are eliminated and access can be dynamically adjusted as risk changes in real time. Zero standing privileges become achievable across AD, Entra, AWS, Okta, and SaaS apps. Together, FalconID and SGNL extend Falcon Next-Gen Identity Security across the full identity lifecycle:
For users, the process is frictionless. FalconID eliminates the use of passwords, push notifications, and one-time codes through its FIDO2-based biometric authentication bound to trusted devices and legitimate domains. A physical device is required to approve access. The user and device are verified in real time, without redirects or third-party integrations.
SGNL: Continuous Authorization Beyond Login
For legacy access scenarios where FIDO is not supported, FalconID provides secure indirect authentication enabling administrators to secure legacy applications and protocols.
FalconID is now generally available, bringing phishing-resistant MFA to the CrowdStrike Falcon® platform and advancing CrowdStrike’s leadership in identity security.
See FalconID in action in this demo video
- At login, authentication is phishing-resistant and security context-aware.
- During access, authorization is continuously evaluated and risk-based.
- Across on-prem, cloud, and SaaS privileges, standing access is eliminated in favor of just-in-time enforcement.
- Across SaaS and cloud, identity posture and misconfiguration risks are monitored and controlled.
- Across human, non-human, and AI identities, threats are automatically detected and blocked in real time.
Identity Protection Built to Fight Modern Threats
FalconID provides phishing-resistant, FIDO2-based authentication as a seamless experience built directly into the Falcon sensor and delivered through the Falcon for Mobile app. It connects authentication to the Falcon platform’s real-time telemetry to determine when access is safe, and when it’s risky, without forcing users through unnecessary steps.
Learn more: https://www.crowdstrike.com/en-us/platform/next-gen-identity-security/falcon-id/
By combining AI-native ITDR, modern privileged access, SaaS security posture management, phishing-resistant MFA, and continuous authorization, CrowdStrike delivers a unified identity fabric across human, non-human, and AI identities. Identity becomes continuously evaluated, dynamically enforced, and fully correlated with endpoint, cloud, and threat intelligence signals.
With FalconID now generally available and SGNL expanding enforcement across environments, Falcon Next-Gen Identity Security delivers protection where legacy IAM models cannot.
