Securing wifi SSID and password during provisioning

This is yet another provisioning BLE/Wifi question.

We are looking to secure the initial communication between our mobile application and smart device (esp32, ble and wifi). We want to make this as seamless as possible and also accessible to users with potential sight loss. Out of the box the ESP-IDF supports Blufi and Unified Provisioning (ble prov). Which is great as this keeps the ssid and password encrypted when configured correctly. To prevent MITM attacks you can also optionally pass a proof of possession key. However this would require the user to read a code from a sticker or alternatively scan a QR code. I understand why this is required. However I have also seen on products such as a googles chrome cast and the amazon echo. Whereby provisioning is just a single touch.

Looking at the current BLE mechanisms I don’t see a perfect solution

• JustWorks is secure but open to MITM
• OOB is possible as we can store a factory oob key on the device and in the cloud. The app would received the key from the cloud once the device has passed a challenge response generated from the factory key pair. However passing pop/oob keys around like this seems like a recipe for disaster.
• Passkey/Numeric Comparison – there is no display on end device

My question is how are amazon/google able to achieve this without the inconvenience of QR codes and passkeys and if they are accepting the MITM risk what techniques can be used to reduce this risk ?