Post

GitHub account for personal and business use

Posted
By Andre Kolodochka
5 min read

In my 4+ years as a solution engineer at GitHub I spoke to countless customers who mention that they are/will require their employees to create a separate GitHub account to be used for business use only. Let me explain why it’s a bad idea.

TL;DR: asking employees to create a separate “business” account not only creates a false sense of security, but also goes against GitHub’s Terms of Service.

Legalities

For starters, having multiple GitHub user account goes against GitHub’s Terms of Service:

In the Account Terms section:

“Personal Accounts and Organizations have different administrative controls; a human must create your Account; you must be 13 or over; you must provide a valid email address; and you may not have more than one free Account. You alone are responsible for your Account and anything that happens while you are signed in to or using your Account. You are responsible for keeping your Account secure.”

And more in the Account Requirements subsection:

One person or legal entity may maintain no more than one free Account (if you choose to control a machine account as well, that’s fine, but it can only be used for running a machine).”

Yes, I know, people will say “but I pay for Teams or Enterprise plan, so I can create another account!” The confusion here is that the payment is for Team or Enterprise plan for an organisation, not for a user account. You cannot apply Teams or Enterprise plan to a GitHub user account.

Note, if you need a machine account for scripts/bots to interact with GitHub - that’s not an issue.

Security

The other type of arguments that comes up often is about security and control over the account.

Some examples:

  1. we want to make sure that the user account is only used for business purposes and not mixed with a personal use
  2. when employee leaves we want to be able to take over that account
  3. we don’t want employees to have business email address in their personal account
  4. we don’t want employees to login with business email when working on personal projects
  5. we want employees to have standard picture, username, email address in their profile

Before I address those - some background on how GitHub accounts and organisation membership work. All GitHub accounts on standard github.com are personal. The individual who created the account essentially owns it. There is one case (Enterprise Managed Users) where the business can own the user account, but other than that - the individual who created the account owns it and has a complete control over it, not the company.

What company can do, however, is to control who has access to its organisation on GitHub. Unless a GitHub account is invited and added into company’s organisation, they simply won’t be able to access any private or internal repository. While they are a member of the organisation, organisation owner and repository admins will be able to control which resources within that organisation the user has access to. And once the employee leaves the company and their GitHub account is removed from the organisation, they no longer will be able to see any of the company non-public resources. So as you can see, while the company has no control over the user account, they have complete control over what that user can access if added into the organisation.

So let me show you how the concerns above are not solved by creating a separate account:

  1. The company has no control over the account. As a user, I can create andre_business GitHub account on company’s request, get a second job at another company and use the same account in that company’s organisation. Not only the original employer can’t prevent that, but with the right settings they will never find out about this.
  2. The employee might agree to hand the account over, but they are under no obligation to do so and if they refuse, the company can do absolutely nothing about it. The individual owns that account, not the company.
  3. Since the user owns the account it is up to them what email to specify on their account and whether or not to advertise it and the company has absolutely no way to find out what email addresses are added to that account unless they are made public.
  4. Since the “business” user account is no different from any other account on GitHub, they still will be able to create personal repositories in that account and/or use that account to make changes in either open source repositories or in private repositories they have access to. There is nothing the company can do to prevent that.
  5. The employee might agree to set a particular profile picture, username and email address, but under no obligation to keep it that way and and change it at any time.

There are two somewhat exceptions to that. While the company can’t force a user to set any particular setting on their profile, the company can indirectly influence some settings by:

  1. requiring 2FA to be enabled on user account before the user can be added to the organisation
  2. only sending notifications to emails addresses with company’s domain, so if the user doesn’t add company email address to their GitHub profile - they will ever get email notifications about events in company’s GitHub organisation.

So, in summary, requiring employees to create a separate GitHub user account “just for business” purposes creates a false sense of security within IT teams as they do not own GitHub user accounts and cannot control those. Instead, the company should focus on securing the access to their organisation by implementing controls like SAML/OIDC SSO and SCIM user provisioning. Alternatively, if the company requires the ownership of user accounts, they should consider switching to Enterprise Managed Users.

GitHub,, Security
github
This post is licensed under CC BY 4.0 by the author.