GAP Security Mode VS. Characteristic Read/Write Permission

Question

My question is in regards to BLE security. I have certain characteristics that I want to remain open. As they will be used to determine authentication at the application level. Once authentication has been determined at the application level I intend to issue a bonding request from the central (phone) to the peripheral (nrf51822). 
 I see that all characteristics read/write permissions can be set independently, but I also see that the gap_params_init function sets the security level for the GAP as well. To make my scheme work should I leave the GAP security level open, and just set the characteristics I want to protect until after bonding to the necessary security level? 
 Additionally, when using MITM protection with passkey. Will the central (phone) always prompt the user for key entry, or can a psuedo random number be generated and entered all behind the scenes? It is my understanding that the Andoid and IOS are configured to prompt the user for input when a Bond with Passkey (MITM protection) is being interpreted.

Nikita · Accepted Answer

gap_params_init function sets the
security level for the GAP as well 
 
 Do you mean this one? 
 ble_gap_conn_sec_mode_t sec_mode;
BLE_GAP_CONN_SEC_MODE_SET_OPEN(&sec_mode);
err_code = sd_ble_gap_device_name_set(&sec_mode,
 (const uint8_t *)DEVICE_NAME,
 strlen(DEVICE_NAME));
APP_ERROR_CHECK(err_code);
 
 It's write permissions for the Device Name characteristic.