Unfortunately, systemic changes to the vault database itself do need to be done through the web vault. You might try using a different web browser perhaps on a different operating system. Another recent case seems to imply that the browser brand makes a difference when logging in with new device login protection.
One possibility is to contact support and ask that NDLP be disabled on your account. They will do so for 24 hours, which is long enough to get TOTP set up.
Another (less than pleasant) approach is to set up a new account, get TOTP working and then export/import your vault from old to new. The primary complications (other than being annoying) are that attachments (if any) need to manually migrated (zip format will export them, but there currently is no automated import - go vote for it) and that if you have premium, you will need support to move the subscription to the new account.
One thing to be aware of with this approach is that the Terms-of-service state “One person or legal entity may maintain no more than one free account”, so you do need to remember to delete the old account once you are confident the new account is complete and working properly.