With the newly released Web API Beta bits ( http://www.asp.net/web-api), you can support multiple authentication from client. Say you want the client send both the username/password as well as Client Certificate for SSL.
For the web hosted scenario, you can register a custom HTTP module to do the authentication and convert those client credentials into some principal that your controller can later authorize. Here is some sample code. Dislaimer, the code is only for demoing purpose, and not for production.
Step 1: Write a HttpModule to authenticate and turn the client credential to some principal information.
Step 2: Write a custom authorization filter to require certain principal.
Step 3: Add the authorization attribute to certain method that you want to secure in your controller.
Via IIS, you can set the SSL setting to require SSL and require Client certificate.
Hope this helps. Self host cases work in a little bit different way that i will blog sometime later.