Both my banks do (European banks, specifically Rabo and ABN/AMRO).
These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.
Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.
Separate challenges exist for logging in (read access) and transferring money.
Those are common in Brazilian banks as well. At least four of the six biggest (I don't remember about the last two) do two-factor authentication.
Another cool thing I've seen in Banco do Brasil was the need to authorize the computer you're going to use in a ATM or in a 1-800. If I recall correctly, they do that with a Java applet.
Recently they also launched a common-malware-search-and-destroy application of MANDATORY use in Windows computers (my mom uses, she asked me. And yes, the digital certificates were all valid).
These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.
Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.
Separate challenges exist for logging in (read access) and transferring money.