The OAuth 2 spec does not have an MFA grant type, Auth0 however looks like it does have a custom one. We follow the standard OAuth 2.0 specification with our implementation. If you enable MFA in Invision Community, it will prompt the user during the login process.
It logs the requests to AdminCP > Rest & OAuth > API logs. It can be useful for debugging and development.
Secondary groups are a little special, members don't know which secondary groups they belong to and thus they're not made available via the REST API unless using an elevated permissions (API KEY) access.
The /me endpoint is special too, the 'email' information within it is controlled by the 'email' scope that the user accepts when initially logging in. This is the only member object that will contain an email address when using OAuth.
This does appear to be a bug, we'll get this addressed.