Adding a secondary authentication under OAuth?

Greetings!

Say I have fleet of mobile devices that are the consumers in a three-legged OAuth. The user authorizes each device, but then hands them over to other people. I would like to have these people then need an additional password to inter开发者_JS百科act with the mobile device's protected resources.

Is there a standard, best practices way to do this? Could I use another, layered 2-legged OAuth, or should I do something else?

--Edit--

P.S. Since I posted this I discovered Twitter's "4-legged OAuth" for things like TwitPic, using a "delegator" this is a step towards answering my question, as it appears that OAuth can, in principle, be n-legged.

Are there other 4-legged and/or n-legged OAuth implementations floating around I can read over?

Thanks again,