The key isn't being transmitted, but a hash of it with a nonce is. You could do a DH key exchange and encrypt it, but I doubt that would help that much: An attacker would just need to transmit their own auth packets.