Ip whitelisting sounds like an effective way to protect valuables but the problem comes when you using a dynamic ip and you need to confirm your activities every time you try to login to get access which grows to a pen in the butt
For IP Whitelisting I'm talking about API keys, generally you would be using these on a server and their IPs usually don't change.