Ah, that makes sense. I was confused by the phrasing of authentication token and thought you meant the authentication ID but now understand what you mean.
Why not follow that exact same model for authentication of apps? For example, I have a Smart TV and went to associate it with my Hulu account. The Hulu app on the smart TV contacted Hulu and got a authentication code. The app then told me to log in to www.hulu.com/activate and enter the code. That presumably tied the app on my smart TV to my account and Hulu provided an authentication token to the app.
That's almost exactly what you're doing as well for the device and so could do the same for any app. It would be pretty easy to implement and you could take all of the log in functionality out of the app and leave it in the website. Session state management is a mess and ends up with lots of edge cases to manage. It's also harder for you to scale in the long run.