My Delaware and Delaware ID – FAQ

Why did Delaware adopt new Single Sign-On solutions?
The pandemic, especially its need for a secure Contact Tracing application, accelerated our rollout of this solution. But it has been in the making for years due to the need to harden the State of Delaware network against ever-increasing security threats.

When did workers begin to use these identity and access management solutions?
All State of Delaware and K12 staff use a worker Delaware ID for access to State training and such enterprise applications as Outlook and Microsoft 365 (Word, PowerPoint, Excel, Teams and more). A worker Delaware ID may be required as well for access to other state applications, such as state VPN. PHRST-paid employees use a personal myDelaware identity as well to access Employee Self Service and pension statements. Identity Lifecycle Management controls provision of worker Delaware ID access. IT Access Onboarding automates the provisioning of new hire/contractor state identities (except K12 and CJ domains). Online access to state systems, services and applications are moving to require a Delaware ID to protect data and infrastructure.

What if I can’t use a cell phone at my work location to authenticate for these solutions?
Your organization may have been enabled for other authentication options such as a Security Question or hardware token (YubiKey). Email Project_ID@delaware.gov if you don’t see these options when you register for a Delaware ID. You can add a security question as a multi-factor authentication option for authentication on myDelaware.

Will Single Sign-On solutions and the need to authenticate with a factor (MFA) only apply to VPN/remote access or will it be used for network login?
This is a layer of security in front of your network login and enterprise applications such as Outlook. You won’t see it in action if you log in when you are inside the network (from your office in a state facility, for example). You may only be prompted for MFA when you are outside the network, if you log in from someplace the system doesn’t recognize, or if you change your password.

ID.Delaware is asking me to change my password? What happens if I do?
For domain-joined state and K12 organizations, this security layer in front of your network login is linked to your Active Directory/Windows password. Changing your password when prompted by your “Delaware ID” automatically changes your network/Windows password, too. If you have stored your password on another device or password manager (e.g., a state cell phone), assure that you update your password everywhere, at the same time.

How will these single sign-on solutions affect applications my organization has developed that use network credentials?
The primary focus is State of Delaware Internet-facing enterprise applications, managed by DTI and in use across multiple state organizations. Initially, Internet-facing applications that authenticate using Active Directory may be among the first to have their tiles added to workers’ home screens. Over the coming months and years, the intent is to work with organizations to assure that their applications meet the legislated requirement that they are secured by either ID.Delaware or myDelaware.

How will this change affect Microsoft 365?
Workers will access email and Microsoft 365 applications without MFA while connecting from within the State network and use ID.Delaware for MFA when logging in from outside the State network.

How does an organization request that an application be onboarded to one or both of these single sign-on solutions?
Your organization’s IRM and Partner Services Engagement Specialist will work together in the coming months to identify applications to be transitioned to the new solution (either ID.Delaware or myDelaware). Your organization can initiate a ServiceNow process that will include completing a questionnaire for each candidate application your organization has.

Will DTI or the business manage access to a business’ special applications?
Business owners can manage who, among their workers or other users, have access to a business’ applications that are onboarded to, and protected by, single sign-on.

Will there be a cost to organizations for employees to use this new solution?
The cost for our agency partners is associated with enterprise security. It has been added in the proposed Secure End User Services package as a piece of the security cost for inclusion in the new Shared Services cost model.

I want to change my selected MultiFactor Authentication (MFA) options in id.delaware.gov or my.delaware.gov; how do I do that?
On the dashboard for either my.delaware.gov (your personal identity) or id.delaware.gov (state worker identity), in the upper right corner of your dashboard screen, click on your name, then select Settings from the menu below your name. Scroll down to Security Methods. This is where you can reset your password, set up Okta Verify (an authentication app for your smart phone—download it from Apple Store or Google Play before attempting to set it up), set up phone numbers for verification, or set up/change a security question. NOTE: you will be prompted for MFA before you can set up a factor.

How do I get a home email address if I don’t have my own?
Free email account providers where anyone can create an email account to use as a “home email address” for State of Delaware purposes include:

• Gmail (a Google product, good for Android smartphone users) Sign up for Gmail
• Personal Outlook (a Microsoft product many already know) Sign up for personal Outlook
• iCloud (an Apple product, good for iPhone and Mac users) Sign up for iCloud
• Mozilla Thunderbird (by Firefox, simple to set up and use) Sign up for Thunderbird

It is fine to use a work computer to fulfill the migration requirements (to create and access your free email account and to register for a my.delaware.gov identity, and to access Employee Self Service).

So how do I create my own gmail account?
Just go straight to Google and go through their process. It’s simple and only takes about 3-5 minutes.

If that looks overwhelming (it’s not hard), here’s a step-by-step set of instructions on how to set up your google account (which gives you email).

I don’t want to share my personal home email address with my employer: what should I do?
Anyone who does not want to use their personal primary home email address may create and provide an email account with a free provider to use just for State of Delaware Employee Self Service “myDelaware Login email” purposes. You must be able to access this email account to receive the registration invitation/activation link and to register for a myDelaware identity. You can obtain a free email account from any provider, including those listed above, and you may use a work computer to create the account and register on my.delaware.gov.

State employees who want electronic access to participate in Open Enrollment for State of Delaware employee benefits (participation is required by law) or the State Employee Charitable Campaign, for example, will need to have a myDelaware identity to access these applications online.

My family uses a single email address for all of us. Can I use this as my myDelaware login email address?
No. An employee’s “home” and “myDelaware Login” email addresses need to be unique to each employee, not shared with anyone else in the family. Even if only one member of the family currently is a State of Delaware employee, other family members may need my.delaware.gov identity to transact business with the State of Delaware and won’t be able to use the shared email, either.

For a my.delaware.gov identity, each person needs a unique email address they alone control access to; this protects access to employment and other personal information.

My spouse and I share the same home email address; can we share a myDelaware identity?
No. Even if your spouse is not a State of Delaware employee, you cannot share a myDelaware identity– just like you cannot share a Delaware Driver’s License. Everyone needs their own validated myDelaware identity; this requires each person to have their own individual and unique home email address.

Why should I provide a home and myDelaware login email address?
An employee’s myDelaware login email address in your PHRST employment record becomes your unique username for the myDelaware system.

Residents, visitors, and employees use myDelaware to access Employee Self Service (for pay and benefit information) and other public-facing State of Delaware applications and services, such as State of Delaware Pension system and Child Support Services, for example, even after employment ends. Eventually, many kinds of transactions will require a myDelaware identity which is intended to serve you for your entire lifetime.

How will the State of Delaware use my home and/or myDelaware Login email address?
The State uses the home and/or myDelaware Login email address an employee provides to link an employee’s PHRST employment information with their myDelaware identity (the email field “myDelaware login” is a protected field in your employee file).

Once an employee completes registration for a myDelaware identity that identity will be linked to PHRST and granted access to Employee Self Service and other applications, based on a person’s employment with the State. The State only uses the myDelaware Login email to link employment record to identity. This address CANNOT be “preferred” for correspondence.

Can I select my home email address as my “preferred” email address?
Of course! It is important to know that you must select a “preferred” email address because many important communications, including benefits information, are sent via this contact method. You must designate one of your email addresses–most commonly either business or home–as “preferred” in your Employee Self Service personal information.

An employee can only have a single “preferred” email address; the myDelaware Login address cannot be marked “preferred” for correspondence. To use that email for correspondence, an employee should enter it as a “Home” email type.

What if I must change my personal email address later?
You can change your home email address (which could be used for State correspondence) anytime. However, changing your home email will NOT cause any change in your myDelaware login Email which will remain your my.delaware.gov login, even if your correspondence email in Employee Self Service is changed. In rare circumstances where you must abandon an email account you used for your myDelaware login because of legal or security concerns, you can work with your HR representative to change your myDelaware login email in PHRST so it will link to your myDelaware identity created with that same changed email.

I do not wish to receive unsolicited emails from SOD third party agents. How will the State of Delaware protect my home and myDelaware login email address?
The State of Delaware considers personal email addresses you share in your Employee Self Service Personal Information to be confidential information. You get to choose which email (your “home” or your “business” type) you wish the State of Delaware to use for official communications. You have always received third-party communications—specifically, from your chosen SOD benefit providers—at whichever email you designated as “preferred”. This email address also receives benefits enrollment and other State communication. The State of Delaware has no intention of harvesting or selling your personal email addresses to anyone.

The email address that you designate as “preferred” is provided to your chosen SOD benefits providers so they may do outreach to employees as needed for care or disease management, etc. You need not use your personal email address for anything except to allow you to create a myDelaware identity that can be linked to your Employee Self Service identity (your personal myDelaware Login email acts as a unique identifier for this purpose).

Why can’t I use my Delaware ID to access Employee Self Service?
Your Delaware ID is for work-related applications and systems. To safeguard your lifetime online access to State of Delaware digital government services (such as your pension), you will need a my.delaware.gov identity.

Employee Self Service (ESS) moved to my.delaware.gov to assure uninterrupted access for workers who frequently change state employers (especially those working in education), and to make electronic access to ESS available to the many workers who don’t have a state email account. Access and identity linked to a person’s personal myDelaware Login email makes this possible and puts access in the employee’s control.

Why can’t I use my work/state email address to access state services personal to me (Employee Self Service, Pension Annual Statement, etc) on my.delaware.gov?
A person’s myDelaware identity is intended to be a unique-to-you, lifetime access username to any State of Delaware-related online service. Employees lose access to any work-issued state email and work-related Delaware ID when state employment ends, but still are permitted limited access to Employee Self Service, post separation. After employment ends—either by retirement or by separation—a former employee can use my.delaware.gov to see tax and pay information, access the Pension system, and continue to transact other business with the state. Access to Employee Self Service via my.delaware.gov won’t be interrupted by a change in work email due to a job change. Access via a work address would not be equitable or efficient: not all employees have work issued (K12 or State) email addresses, and some employees have multiple work addresses due to having multiple assignments or responsibilities.

What is Multi-Factor Authentication? MFA set up is required the first time you activate your work or personal Delaware ID, so you can authenticate when you log in from outside the state network. You can choose, set up, and use the same factors to authenticate for both your myDelaware and Delaware ID. You only must set this up once, but you can update your factors yourself (in Settings) later (if, for example, you get a new cell phone number). This keeps your information safe.

MFA protects all the applications you access, including those like Employee Self Service that accesses YOUR personal data that Delaware wants to keep safe and secure. You will be presented with a request for MFA to verify you are YOU every time you log in from OUTSIDE the state network, or if you want to update a password or change your factors. Additionally, you may receive email from the system alerting you to any new or unusual login activity. If you DO NOT recognize the login attempt, please notify esecurity@delaware.gov immediately.

How many authentication factors do I need?
Delaware recommends that you set up at least TWO factors from the four choices offered. These factors are:

1. VOICE CALL: provide a 10-digit phone number to a phone you can answer when you are logging on, such as your home phone. Your phone receives a voice call providing an access number to type into your device to log in.
2. SMS: provide a 10-digit phone number to a text-message-enabled cell phone. Your cell phone receives a text message with a code you type into your device to log in.
3. OKTA VERIFY: an application you can download (from Google or Apple). Download to a smartphone before setting up this factor: you will need to open the app and aim your phone’s camera at the QR code provided during set up to sync the app and your myDelaware or Delaware ID identity.
4. SECURITY QUESTION: MyDelaware (and Delaware ID only at select work locations) may set up and choose one from a wide variety of questions available. You type in your secret answer to log in.

You can select among any factors you set up when you need to authenticate.

Some secure workplaces may offer different factors, such as security question, as an MFA factor for your Delaware ID, where phone use is not available.

Is there a cheat sheet for setting it up?
Yes. See these instructions which provide a step-by-step, screen-by-screen walk through of what to expect when you are asked to set up MFA on myDelaware.

Once it is set up, do I have to do anything else?
You only need to set MFA up once: any other applications requiring MFA in the future will be able to use it. You can modify your choices later (add or remove factors), but only IF you have access to at least ONE factor you set up. If you lose access to your factors, contact your Help Desk for assistance in resetting MFA.   What do I need to do when I get a new cell phone? If you plan to get a new cell phone, you will need to remove any factors related to the old one (i.e., SMS, Voice Call and/or Okta Verify) before you set up a new phone as a factor. If possible, do this before you get a new number/phone. Having one non-cell-phone factor set up allows you to access your identity and change your factors even if you lose your cell phone.

Remember to do this for both myDelaware and your Delaware ID if you used your cell phone number or installed Okta Verify as a factor. If you lose access to your old phone, ask your Help Desk to reset your MFA.

I am logging in to Employee Self Service using the URL or the Tile on My Delaware and it either shows password expired or logs me out of myDelaware in a continuous loop.
This do-loop happens when you have had your browser open for a long time and an expired cookie locks your account.

We have an hourly process that unlocks the user accounts.  We ask you to first clear your cache. If you don’t know how, search “How to clear a browser cache in [insert your browser type—Edge, Chrome, Safari, Opera, etc.]” for step-by-step instructions you can easily follow. Then, completely quit your browser.  Give the process time (about an hour) before you start again with a fresh browser and then try to login again.

Oops, my Home Email doesn’t match my myDelaware login Email in my Employee Self Service Personal Information.
If you decided to change your personal email, and registered for my.delaware.gov with the updated Home email, please reach out to your HR representative to have that person change your myDelaware Login Email to match the personal email you used to register for your myDelaware identity. You may not see your Employee Self Service tile until 48 hours after the correction to your PHRST personal information is made.

My Employee Self Service tile never showed up for me on the myDelaware dashboard!
Here are the most common reasons for (the Employee Self Service tile not showing up in 48 hours after my.delaware identity registration):

1. Background processes and timing.
   Depending on when Human Resources makes a change to your Home/myDelaware Login email in Employee Self Service and when you complete your my.delaware.gov registration, it takes up to 48 hours for the systems to sync your identity AND to assign the tile.
2. You did not provide Human Resources with a Home Email AND myDelaware login email to put in your PHRST Employee Self Service record.
   Contact Human Resources and assure they add Home and myDelaware Login email to your PHRST record. After HR has done this correctly, your tile will show up within 48 hours.
3. Your name or the email you registered with in myDelaware doesn’t match your PHRST data.
   Contact Human Resources to confirm exactly how your name, home, and myDelaware Login emails appear in PHRST; make sure that you registered on myDelaware with the same email as is in your PHRST employee data. Make sure your name in your myDelaware settings is spelled exactly the same as it is in your PHRST employee data.

Why did access to DE_SSO change?
Delaware needs greater security for the state network and data. Access to applications and systems protected by DE-SSO will be protected by myDelaware and/or or Delaware ID going forward.

Who made the decision to make this change?
The State of Delaware’s Chief Security Officer and DTI, in keeping with the governance policies conferred on them by The Delaware Code statue (Title 29, Chapter 90C) which enables the Department of Technology and Information.

DTI is mandated by the legislature’s update of Title 29 Chapter 90C Subchapter III to “mitigate cyber security risks related to critical infrastructure and protected systems;” DTI’s enabling statute further provides that DTI shall have the power to:

This change in access is part of an overall hardening of the state’s defenses of your personal information and other sensitive state data against bad actors. The State of Delaware cannot retain a system that no longer adequately protects state data. Data security breaches have the potential to incur great costs, both to the state and to individuals whose information is compromised. DTI acts with the full knowledge of, and in concert with, the other state entities who are responsible for employee data: the Office of Management and Budget and the Department of Human Resources. This change is being made because the State of Delaware must act responsibly to protect state data.

Title 29 clearly states: