We provided some UX research on desktop apps using federated login and/or OAuth. One of the goals of that research was to show we could use OAuth as the technology, because it is agnostic to whether any type of federated login mechanism is used (SAML, OpenID, etc.) and agnostic as to how the user is authenticated (password, digital certificate, CardSpace, biometric, etc.). Below are some links to videos that show how that prototype was used (without any specific modification) with a few different federated login mechanism and authentication mechanisms. Google has also published some early research on usability of strong authentication approaches.
Note: To view the videos below in higher quality, click "watch in high quality" link that is at the bottom right under the video on the YouTube watch page
Authentication with standard password
Authentication with other forms of "what you know"
Authentication with one-time-password device that does not need to be connected to the PC (via USB, Bluetooth, etc.)
Authentication with software certificate, and for machines without that certificate the user is asked to provide the answers to some secret questions
Authentication with physical device
These examples will hopefully serve to show that it is possible for rich-client apps to use OAuth so that they can get the user's AUTHORIZATION to access that user's data, as opposed to the more traditional model of asking for the user's username/password and then impersonating them to the destination website. The delegated authorization model of OAuth allows rich-client apps to support federated login and strong auth without any additional changes for specific federation and strong auth technologies.