I would create a WCF service inside the ASP.NET webapp, which accepts cleartext username and password, and of course use transport-level encryption. In this service, I would call the MembershipProvider's ValidateUser() method.
Or you could implement a more secure authentication mechanism, but in that case, you should use your own MembershipProvider, because the default provider only accepts a cleartext password, and whatever it does with that is a secret, kind of.
The trick is that if you put your WCF service inside your webapp, then it will behave just like your browser clients. If you're using HTTPS for browser clients, then use the same HTTPS channel for WCF, and you're fine.