[The two-way scanning] has the disadvantage that it’s not as easy for users to use. (esp, you have to explain it to them while “Scan this QR code” is quite obvious)
I’d consider it just as easy, with actually less required coordination, and no risk of conflicting modes.
It works on the intuitive “you scan my, and I scan your credentials” basis (after opening the unified “QR scanning and displaying activity”. It’s intuitive for both (or all persons present) to get credentials that are transmitted through a separate channel. (No problems with missing network connections either.)
The keys are verified, I do not know how s.o. could do a MitM attack
Are you sure about the word “verified”? I am not saying that a new chain-of-trust-remote-key-installing mechanism may not provide any degree of trustability. But the actual keys or fingerprints are never compared as one would expect from something talking about “verified contacts”.
Even for those people presenting the new scheme as a solution, it should be better to call it differently, to be clear about it, and better claim the full fame. Something along the lines of trust-chain or chained-channel-trust, maybe.
Anyway, IMHO there is an even greater bummer in the further idea that the scheme delegates (trusts) any QR scanned contact to remotely install and change keys for further (third-party) contacts (very convenient for setting up a MitM). How believable is it to call contacts whose keys can be exchanged by other contacts “verified”?