Until someone creates a new encryption system which isn't susceptible to MITM attacks
Uh, some of the earliest encryption algorithms ever created are immune to MITM.
The core of the MITM issue is that anything sent over it could be intercepted or spoofed.
So ALL your communication must be encrypted.
All you need a pre-shared key to initiate the connection. Whether that's a password or a certificate or something else makes no difference. What matters is the pre-sharing. You have to fucking know and trust the source of that key. If you're just using a list of certs issued by people you don't know and trusted on your behalf by other people you don't know, then your shit isn't secure.
In an ideal world I'd walk into a bank branch, verify that it is my fucking bank, ask them for a certificate for web access, they'd generate a unique one for me, and I'd copy it to my devices and trust it. I would also give them my own unique certificate, though a username and password is essentially a weaker version of that.