I have recently installed my first devices using S2 mode. I have reviewed other devices in my mesh in an effort to clean up my routing tables and discovered that my Honeywell Pro T6 thermostats are S2 capable but have either networkSecurityLevel: ZWAVE_S2_UNAUTHENTICATED or * networkSecurityLevel: ZWAVE_S2_FAILED. I assume I would get the benefits of S2 (“better battery life, greater reliability, and less latency than S0 devices, due to the usage of a single frame command process rather than the former three-step process for security”) if I excluded and attached the thermostats as S2 but I am unsure, and I’m unsure of the process to do it.
Yes it’s the same process for all S2 capable devices. If I remember correctly the T6 Pro only supports S2_UNAUTHENTICATED and that should work just fine to get all the benefits of the S2 reduced traffic you’re looking for. @JDRoberts
Z wave S2 unauthenticated is normally used when the hub on the network is not capable of processing the authentication method. It doesn’t have a method of scanning the QR code and it may not even have a way to enter the DSK pin code.
But any of the current smartthings/Aeotec hubs use the app for onboarding, so that shouldn’t be an issue. In other words, if you can join it unauthenticated you should be able to join it as S2 authenticated as long as you follow the instructions @rboy gives in the ring thread.
That said, there were a few early release devices that had S2 security but didn’t have a QR code or DSK code. So those would be added unauthenticated. I don’t know if that applies to this particular model or not.
You could also check with Honeywell and see if they have created a QR code since the device was first released, some companies have done that.
But in any case, as @rboy mentioned, you should get the benefits that you listed regardless of whether the device is joined authenticated or unauthenticated. The only thing you lose is that there may be a few handheld remotes or wallmount controllers that won’t work with the thermostat unless it’s authenticated. But that’s not usually how you handle thermostats anyway.
“Less latency” is because the S2 device only has to send one (highly encrypted) authentication message instead of 3 (less encrypted), so as long as the hub also supports S2, you always get that benefit.
And, yes, the S2 devices will repeat for devices with lower security levels. That’s just a pass through, so they don’t care.