The
other (ugly) option, is to remove the auth from the phone, for the Sip Provisioning, but that
would leave and open door to a reboot attack without auth needed from
any IP. And I dont like that option.
This might not be as bad of an option as you think. If the SPA is behind a stateful firewall then that firewall should allow the NOTIFY from the registrar due to the REGISTER and NAT keep-alive packets opening the firewall, but disallow SIP from any other source. I would recommend verifying that before you deploy it though as I haven't tested it myself.