I see. But does that qualify as a two-factor auth? You need two independent "factors" for that, and while OAuth uses tokens internally, all it does is ensure a secure transport between Google's servers and the app that requests authorization. It doesn't actually obtain two different things from the user.
No, that's not exactly what he means. The "token" isn't the OAuth native token, it's a 6-digit code that is based on the current time and a device secret embedded in the app on your phone.
What you are referring to isn't part of the OAuth spec, as far as I know, is it something particular to Google's API?
The cached access token could also be considered a factor, although it depends on the token expiry policy. If the token doesn't require a refresh using a refresh token (which must prompt a password) often enough its security is compromised.
I don't know what kind of expiry Google's OAuth token has, but last time I tested this, it was a very long time. I believe Twitter's live forever. Facebook's offline access scope (which you will need for a normal app) lives forever until the user changes his/her password (see http://developers.facebook.com/blog/post/2011/05/13/how-to--...).
