Since Akeeba donated their Login Guard to the Joomla project, the multifactor authentication works quite decent. The interface is a tad rudimentary, but gets the job done.

This MFA plugin allows using one or more IP addresses as part of Multi-factor authentication. 

It is set up as a multifactorauth plugin and can be used with any number of IP address, login and other MFA method's.

Where the Verification code MFA requires switching back and forth to an authenticator app and the Web Authentication requires a button click and an action like a fingerprint scan, this IP will log you in whenever your IP address matches. Skipping through the MFA screen.

Bypassing MFA Authentication / Whitelisting IP's

Technically, this plugin is another MFA method, using your IP address as validation code. Practically it is like whitelisting IP addresses to bypass the MFA authentication, especially with the option Autosubmit MFA Form set to yes.

Installation

• Install the plugin as any other extension.
• (Optionally) add IP addresses to the plugin settings as a global whitelist.
• (Optionally) enable autosubmitting the MFA form in the plugin settings.
• (If not done already) Configure MFA in the User Options.
• In your user configuration add an entry for Authentication based on IP, if IPs are set in the global whitelist the IP field may be empty. Set this as your default method for automatic login.
• (Optionally) If you need multiple IP's per user IP addresses, add multiple entries.
• Add at least one other MFA method, otherwise you can't log in from unlisted IPs. 

Typically, the global list would contain your office IP. Per user, you would add a home IP

IP can be single addresses, ranges (127.0.0.1 - 127.0.0.128) or net masks 192.168.0.1/24 

For IPv6 adresses you most likely need a range or netmask: 2001:db8:db8:1::/64 

(Typically, an ISP assigns a /64 or smaller subnet to establish service on the WAN. An additional network is routed for LAN use. The size of the allocation depends upon the ISP, but it’s not uncommon to see end users receive at least a /64 and even up to a /48.)

With the Authentication based on IP set as default, MFA is basically bypassed/disabled for the whitelisted IP(s). The MFA page asking for the code should auto submit within a few moments. If IP bases authentication fails, the page will reappear with the option to select a different method.

Security

Ensure that you 'own' and trust the IP addresses you whitelist, like with a fixed home or work address. 

IP addresses send via HTTP-headers HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are not accepted by default by Joomla, as they are very easy to spoof. If your website is behind a proxy or load balancer, you might need to enable them with the option in Joomla's configuration (Global Configuration → Server →Proxy → Behind Load Balancer).

Microsoft allows Whitelisting IP addresses for their Azure solutions, so as long as the used IP's can be trusted it should be pretty secure. Do not use IP addresses that are shared, like:

• If you are behind a firewall
• Using a VPN
• If your guest network shares the IP with your private network
• etc.

XSS

XSS stands for Cross-Site Scripting. It's a type of security vulnerability commonly found in web applications. In XSS attacks, malicious scripts are injected into web pages viewed by other users. These scripts can then execute in the browsers of those users, leading to various consequences such as session hijacking, unauthorized data access, cookie theft, and more.

With a fully automatic login based on your IP your might be sligtly more vulnarable to XSS attacks. Therefor, you can toggle auto-submitting the MFA Form in the plugin settings.

MFA (Multi-Factor Authentication) and 2FA (Two-Factor Authentication) are often used interchangeably, while 2FA is a type of MFA.

MFA uses 2 or more types of authentication, like your password (something you know), an emailed code (something you have) and your fingerprint (something you are).

Thus, 2FA is a type of MFA with just two methods and while Joomla calls it Multi-factor authentication, it's actually 2FA. After your password, just one other method is required.