Challenge solved or not? How to know?

You can also authenticate them by email, no need to use IP address. What I have is two Access Groups, one with my email, another with the emails of occasional visitors who may need access to the back end, and each Access Policy has an Allow rule for these groups.

When you visit an Access-protected area for the first time, the screen will ask you to provide your identity, and the user has the choice between those enabled by the site admin. User choses, say, Google, and they are redirected to a Google page where they are asked to provide username and password. Once authenticated, the user is automatically redirectted back to their destination on your site,and won’t be asked for an email again for the duration of the session (which can be set from 1 day to a month)