Post

How to prevent company email address to be used by personal GitHub accounts (and other email related issues)

Posted
By Andre Kolodochka
4 min read

TL’DR: you can’t! Yeah I know, it’s a click-bait title. But let me explain why email address is really irrelevant.

Firstly, all accounts on github.com (with exception of EMU) are personal accounts. My andrekolodochka account is managed by me. I decide what my username is, I can change it if I want at any time (well, while I am a GitHub employee I will create a lot of issues if I change my username due to how internal integrations work, but that’s the edge case and not applicable to non-hubbers). I can set a drawing of a pink elephant as my profile picture and change it tomorrow to a picture of Borat. Every setting in my personal GitHub account is controlled by me and nobody else. I OWN THE ACCOUNT!

A part of these settings is the ability to add email addresses to my profile, and I can add more than one. For example, I have three emails currently registered for my account: Andre's email addresses

There is only one restriction on what email address I can add: I cannot add an email address which is already registered against another GitHub username; you can’t have two GitHub usernames with the same email address in their settings.

Often customers talk about “I use such and such email to log into GitHub”. In reality, GitHub uses usernames. The only reason you can log in with an email is due to the above restriction. I.e. GitHub can find the relevant username from email address as a single email address can only relate to one GitHub username.

So here comes the answer to the original question: I can add ANY email address to my GitHub profile. What’s more, I can add multiple email addresses to my profile as you can see that from my screenshot. If I decide to moonlight for Google after hours and Google provides me with @google.com email address - I could add that email to my profile. And that’s irrespective whether Google has an organisation on GitHub and whether I am a member of that organisation. And there is absolutely nothing Google can do to prevent me from doing that.

So why do I think this is not an issue for companies? For the same reason why me signing up for eBay account with @github.com email is not a problem for GitHub: it does not introduce any security concerns. Using my work email address in personal accounts in various cloud services won’t disclose any confidential information as I will only be receiving notifications in that mailbox, not sending information to those services from that mailbox.

Also, if you are on GitHub Enterprise plan, you most likely have SAML configured for your company’s organisations so even if somebody managed to steal credentials of my personal 2FA protected account, I still need to authenticate against company’s identity provider before I can access any of company’s private repositories.

It’s probably not a wise decision for the individual as if they use a work email address in personal accounts, especially when there is no option to have backup emails configured (hello, Atlassian!), and leave the current employer, they essentially lose the ability to receive any notifications or to recover their forgotten password.

Another question I get often is…

I want the users in my organisation to only use company email address to log into GitHub and have a separate GitHub account for their personal stuff

Again, unless you are on EMUs - no, you can’t enforce that. Users can always add another email address to their profile and use that one to log in. However, in majority of cases, the reason for this request is to prevent disclosure of confidential information through notifications to personal addresses - that can be prevented by verifying your domain name and restricting notifications to your domain only. As for “have a separate personal account” - I explain why this is not a good idea on my GitHub account for personal and business use page.

What about EMUs?

All above applies to your personal account on github.com. User accounts in EMU instances are… well… special. Firstly, unlike the account you created to share your code or contribute to other public repos on github.com, EMU user accounts belongs to the business; the company can gain access to that account at any time and when you leave the company, you will leave that account behind. Secondly, EMU user accounts are confined to that enterprise account and not visible to or can be used on the rest of github.com. That’s why you can’t use EMU user account to commit the code to a public repository. Because of that “limited scope” two things are possible/impossible. Firstly, you could potentially have the same email address associated with user’s personal account on github.com and that user’s EMU username in an EMU instance. Secondly, it is not possible to use email address to log into an EMU user account; when you try to do so, GitHub will always try to log you into your personal account, and you simply get an error if a personal username with that email address does not exist.

GitHub,, Security
github
This post is licensed under CC BY 4.0 by the author.