This is off the top of my head. Hope it helps. :)

Setup:
— — — -
Inject a dependency into your implementation of Authenticator.
The dependency provides a method which redirects the user to pin entry screen.

Workflow:
— — — — —
Screen A -> makes a network call.
The network call returns 401.
Authenticator intercepts the authentication challenge.
It uses the dependency to redirect the user to pin entry screen.
It also passes the original response (originalResponse: Response) it has received which resulted in 401 to the pin entry screen.

On the pin entry screen, once the user enters his/ her pin, manually refresh the token, then rebuild the request with originalResponse.

originalResponse.request().newBuilder()
 .removeHeader(Authorization.NAME)
 .addHeader(Authorization.NAME, Authorization.getValue(authData.accessToken))
 .build()

Retry the updated request. Hope this helps.