H5P.com has a built-in security feature for avoiding someone from getting access to another author's account through LTI. This is normally not possible if the LMSes are set up correctly. It would only be a problem if users have permission to change their own email addresses. Nevertheless, h5p.com will do the following whenever we see a user with an unknown LTI user ID launching h5p.com through LTI:
If an email address is provided through the LTI launch, we check whether this email is already connected to an h5p.com user account. We also check whether the user already has a registered LTI user ID. If both of these are true, the user confirmation feature is triggered.
This will typically happen when an organization sets up a second LMS Connection to h5p.com. It will also happen if a user has two accounts on the LMS with the same email address. Do note this will only be triggered once per LTI user ID.
When this feature is triggered, h5p.com will send an email to the user. This email will contain a verification code like the below example:
The code above must then be pasted into the input field below, and the Proceed button must be clicked:
After submitting the confirmation code, it should be possible to use h5p.com to create and insert content into the LMS.
Note: The user confirmation feature will always be triggered when setting up a new integration, it can be either with a different LTI version (1.1 vs 1.3) or with a different LMS (Canvas, Blackboard, Moodle, etc.).