Verification of identity is self evident if only the source and destination can decode a message. A man in the middle attack gets garbage if they don't have the key.
The only way a man in the middle attack works in this system is if you're passing keys back and forth and the man in the middle intercepts the key.
There are a variety of means of avoiding that besides using a trusted third party. After all, how do you know that the trusted third party isn't compromised?
They are themselves verified by having some key or other but whatever that is tends to be pretty easy to find out if you're determined. Which means it isn't a credible defense against a serious attacker. Against a casual attacker... sure.
How then does one avoid man in the middle attacks? Do not transmit handshake keys.
For example, let us say I am logging into my bank. My bank might ask me to type in some combination of account number, birth date, street address, phone number, into a box that generates a key. The bank knows what key will be generated because the algorithm is not secret. But the information the bank asked you to input as the key is something a man in the middle system shouldn't know. By typing that in or possibly using some sort of complicated captcha, you can generate a handshake key that an automated system without access to the bank's database won't be able to generate.
That key can then be used to exchange stronger encryption keys.
Beyond this, we should think more deeply about saving/storing BIG complicated encryption keys on devices used to do certain things. Say your tablet or pc or whatever. Why not store a 2 megabyte key? Beats the hell out of a 512 bit key. Possibly overkill, but a key of that size is going to be proportionally harder to crack because it won't repeat as often. The bigger the key the harder to crack.
And a key that equals the number of bits transmitted is literally impossible to crack... by anything... ever.