A system and method for providing pluggable authentication and access control in computer systems and services are described. The authentication and access control process may be categorized into three components: an authentication protocol, a user repository and an access control model. In one embodiment, the authentication and access control mechanism may be implemented as three pluggable modules: an authentication protocol handler module for the authenticator side, an authentication protocol handler for the side to be authenticated, and an access control context module on the authenticator side. The pluggable modules may be exchangeable to support a variety of authentication types, user repositories, and access control models. The authentication protocol handlers provide symmetrical methods to handle requests and responses in the authentication process that reflect the symmetrical nature of the authentication process.