From what I've gathered, if OAuth is the only authentication mechanism and you can't easily redirect a user to a browser and back then xAuth is your best option. Though I suppose you could so something funky like emailing a user a link and have them return back with the PIN (for the Out-of-Band workflow).

Reading the API mailing list it sounds like Twitter is granting xAuth access on a 1-2 week timeline. Though that may be based on the size of the email queues.