Thinking about the attack surface, by adding the pin you are essentially adding a second factor of authentication to the client device on it’s first use. This makes some amount of sense as otherwise someone could use any reader to log in as you.
My question then probably should be why force the use of a phone for the client association. Why not provide an endpoint that the user is sent to? Basically if you are adding a password/pin step for first time device registration why not use an outh flow that clients can implement. I can see why it would not be a priority currently but it seems unnecessary to force me to use a phone as a secure element as well as my implant.
Also as a side note, it would be cool if the API allowed for the validation of a scan without linking to the users account, basically I am thinking for use cases like the Annual Cyborg Meet-up 
where you could use the VivoKey implant as an ID system.