IP is dynamic, but as a rule, the provider issues ip from a certain range. You only need to find out this block (for example, from the provider) and allow access from this range.

You can configure access to the usb-token.
But here the implementation rests on money.

Can I put a dyndns client with a specific domain in the office, and check in the admin panel whether the IP address of the authorizing person matches the one to which this domain responds?

If the admin wants, he will bypass any protection.
Options for different degrees of security:
1. Eternal cookie installed on the computer. You can peep which one and install it where you need it.
2. SSL certificate. You can copy and install wherever you want.
3. A certain program tied to hardware (does not run on another computer), which makes a request to the admin panel, forming a request in a certain way, in response receives a “secret” URL that is valid for some time and launches a browser with this URL

As correctly indicated above, an experienced admin will bypass all options, this is 100%.
But if you need protection from users and have access to the computer on which the admin panel should be launched, you can try to organize a check for the presence of a specific file on the local machine.
docs.php.net/manual/en/function.fopen.php - via fopen, for example.
The file is not a cookie, which is different for different browsers, and the user can suddenly clean the disk.
Put it somewhere far away. Well, then at your discretion - you can check the contents of the file, except for its presence.
Such a thought.

it seems that the organizational problem is solved by technical methods. not quite the right approach.
if work is important for employees, then you can fire a couple of people who are trying to work not as prescribed, so that others do not do so.

In the /etc/hosts file, write the IP range

Judging by the question, you have heightened paranoia. To all of the above (range of addresses, eternal cookies), control the time of work. That is, when the admin is at home after duty, the system does not let his account. Well, in addition, attach to the access system of your organization the control of entry and exit using magnetic cards: when a person leaves the building (room), block the acc.
And do not forget: a person can connect remote access to his machine and manage the admin panel without all sorts of workarounds, mocking your efforts ;-)

1. Connect a permanent external IP to the organization's network;
2. Transfer the site to a server in the organization's network;
3. Set up access via apache only from the required computer.
4. You can make access to the admin panel only on port 443 through a certificate. And close it on the router from external access. Or set up a firewall on the server so that access to it (port) is only from LAN or from a specific machine in LAN.
Again, it is possible that a person can remotely log into his work machine and do whatever he wants with the site.
You can also come up with a scheme with a VPN ... You can write software that will be instead of an admin panel ... it all depends on how much you need to protect the site admin panel and how many resources the owner is ready to allocate for this)))