Security is considered an important issue for mobile communication systems. In particular, the design of authentication mechanisms has received considerable research interest recently. However, most of the current authentication schemes for mobile systems only have simple security functions and usually have some weaknesses, such as leakage of user identities and high update overhead of temporary identities. Moreover, these schemes cannot fulfill the security requirements specified in third generation mobile systems (IMT-2000, UMTS). In this paper, we propose a secure and flexible authentication framework for mobile communication systems. In the proposed framework, service providers can dynamically choose authentication mechanisms without the cooperation of network operators in visited domains. Based on the new framework, a secure authentication protocol is proposed. The proposed protocol can satisfy the security requirements of third generation mobile systems and is secure against network attacks, such as the replay attack and substitution attack. In short, our approach is secure and practical such that it can satisfy the security requirements of third generation mobile communication systems.