Small clarification of terms : REST is an architectural style, SOAP is a protocol for exchanging information, and Web API is a framework to build HTTP Services.
The stock answer for questions like this is "It depends"
Before you continue with a technology selection, currently is your method for authenticating users separated properly from your business/presentation logic?
If that is the case, being that you are using MVC 4, Web API may be the path of least resistance, you can put all of the functionality that requires authentication behind Web API calls. And your controllers will call them. Once that is done, a Windows forms app can consume the data in a similar way.