A system and method for controlling user access to a computing device (e.g. a mobile device). In some embodiments, access rights are provided to a user based on successfully verified authentication factors, even where the user is unable to provide all the authentication factors typically required for access to the computing device. In one broad aspect, one or more authentication factors are provided by a user, and are received and verified by a security module application residing and executing on the computing device. When less than all of the authentication factors that would typically be expected in authenticating a user for access to the computing device is received and successfully verified, a subset of the available access rights selected from a plurality of different pre-defined subsets of access rights is provided to the user. The specific access rights provided to the user are based on the successfully verified authentication factors.