Perhaps this changed now, but I had to set up a different 2FA method first (I used a U2F security key), then add OTP, and then it was possible to remove the U2F method.
After logging in with OTP once (I just keep the private key on my laptop in pass) you never seem to get asked to provide it again, but 2FA is nominally enabled.
