Authentication for a mobile device, (e.g., a mobile phone) often includes a challenge and response mechanism that may leverage a shared secret stored in the device's universal integrated circuit card (UICC). Some authentications do not involve the user to make the user's experience seamless. Such authentications assume that the rightful owner has possession of the UICC which is stored within the device. If the device is lost or stolen, for example, it may still be used because the network may be authenticating the subscription rather than the user (or subscriber) of the device (or service). The use of devices by an unauthorized user may be mitigated by involving the user in each session that requires authentication. For example, sessions may request the user to input a password and/or pin. Such sessions often make the user's authentication experience cumbersome, and users may respond with weak passwords and/or pins (e.g., 1234 or aaaa). Such pins and passwords are easy to remember and input which may make the passwords easy to guess. Weak passwords and pins often increase the authentication burden for the user to access a service or application without adding security for the user. In addition, services are not equally sensitive from a security risk perspective, and thus services may require different levels of security.