Which banks actually do this? I've never encountered one.

Most European banks do. Only few US banks do. Primary reason for this difference is that it's trivial to transfer money from one European bank account to any other bank account. It basically works like email, where you can just enter any destination bank account number. With US bank accounts the process is much harder, as you first need to add and confirm the second bank account (which somewhat reduces the risk of what can happen if someone gets access to your account).

Here's a list of them that use Verisign's VIP: https://idprotect.vip.symantec.com/wheretouse.v

Others may use in-house solutions. Here's Bank of America's two factor solution: https://www.bankofamerica.com/privacy/faq/safepass-faq.go

We're almost to a point where the question isn't whether or not they support it, it's finding out that they have a program, clicking through tiny text links at the bottom of pages, and figuring out how yet-another-implementation works.

The major ones that I've used do - Chase and Bank of America, both through sending codes over SMS to login and perform certain activities once logged in. For BoA, even if you stole my password and browser cookie (to get past the login check), you still wouldn't be able to do anything but pay my bills for me. Anything that might send money to a new destination, like creating a new billpay recipient, changing the info of one, or adding a wire transfer destination, requires an additional 2-factor code.

Both my banks do (European banks, specifically Rabo and ABN/AMRO).

These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.

Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.

Separate challenges exist for logging in (read access) and transferring money.

Those are common in Brazilian banks as well. At least four of the six biggest (I don't remember about the last two) do two-factor authentication.

Another cool thing I've seen in Banco do Brasil was the need to authorize the computer you're going to use in a ATM or in a 1-800. If I recall correctly, they do that with a Java applet.

Recently they also launched a common-malware-search-and-destroy application of MANDATORY use in Windows computers (my mom uses, she asked me. And yes, the digital certificates were all valid).

What's wrong with TANs?

My American Express personal savings does. HSBC does and even allows you to enter your 2FA on a JavaScript keyboard (clicky click) if you choose to mitigate the threat of a key logger.

Chase requires two factor authentication.