Well, therefore, to answer my own question ...
It turned out that safety does not have a fixed measurement scale. Safety requirements are met if the price for braking the system significantly exceeds the gain that can be obtained for this.
In my situation, we are talking about an electronic banking system, but with small monthly limits (a couple of thousand US dollars). As I mentioned in my question, over HTTPS there will be another layer of security that will contain WSS XML signatures. The process of registering a user and accepting his public key is also carried out in several stages. At the first stage, the user sends his phone number along with a crack received in some way from my client. Then an SMS code with a confirmation code is sent to the user. The user enters a verification code into the OTP calculator, which creates an OTP code that will identify the user. Then the public key is sent to the server along with the OTP code. From here, each request must be signed by a private instance of the public key sent to the server earlier.
Thus, the biggest weakness for the whole process is that someone calls the application engineers and retrieves the client certificate used for the SLL. The only problem that arises from this is that someone can observe user transactions. However, in order for someone to complete the transaction, he needs the user's secret key, which is generated, encrypted and stored in the key chain. And the price for braking this level of security is VERY HIGH.
We will additionally think about how to protect user data at a higher level (for example, using WSS Encryption), but for a start I am sure that we are doing a good job with the current solution.
any opinion?
welcomes