Cannot add Zooz sensor as authenticated device to Hubitat


I have updated to the latest platform version and I cannot add Zooz Q Sensor ZSE11 as an authenticated device. The sensor supports S2 Authenticated Security. I have added multiple Zooz devices and had no issues to authenticate them by manually adding them to the hub with Zwave inclusion. Once the device is found the hub will prompt you with/without security and when you select with security will prompt you to enter the pin. After the update of the platform version the pin pop-up does not come up. As a result the devices is added as S2 Unauthenticated. Is this driven by the update or is it a sensor issue?

Thank you!

@Acho Don't use encryption if you can avoid it with stuff like that. Locks and garage door stuff yea, everything else no. Your mesh will be much happier

1 Like

I use the highest security for everything that supports it, when possible. Might as well if its available. Zwave mesh seems to be fine especially with the newer zwave firmware.

You could try using the smart start. You will have to exclude it, power it off. Go into the mobile app, Tools > Zwave > smart start, scan the QR code. Power up the device. It should pair with S2 Auth by itself after a minute or two.

I have a few new S2 devices I need to pair as well including a ZSE11, ZEN30, and ZEN17. I was going to use smart start but I can try out the manual method tonight to see if I get the DSK pop up or not.


I added one of these a while back (before the "Add Device" wizard changes a version or two ago), and mine added as S2 Unauthenticated. I can only find one place on the Zooz site where they say this is S2 Authenticated, and the Z-Wave Alliance conformance doc is completely unhelpful because it says "No" for S2 entirely (LOL). It's pretty common for sensors to support only S2 Unauthenticated and I didn't think anything of this. Are you sure this is the particular Zooz device you added as Authenticated?

One of the above changes is that the PIN popup no longer appears for S2 Unauthenticated (might be nice to see to verify, technically the point, but I'm guessing 99% of users didn't bother to check and many of them were confused with Authentication or Access Control and thought they had to enter something...).

EDIT: See below--I may have an older hardware revision of the ZSE11?


Thank you both. I have tried the smart start (by scanning the QR code) and it is just sitting on not included and pending. I have left it alone for 4 hours and it seems that the end result was that the sensor was added but as S2 Unauthenticated.
I would like to add it as S2 Authenticated since all the rest of the devices are added as S2 authenticated. I have read somewhere that devices will communicate better if they are all added with same setup (no security, S2 unauthenticated or S2 authenticated). I have no issues with the rest of the setup or the speed, just really wanted for these device to be added as S2 Authenticated as well

It would be good to know the source for this, too, but this sounds like something you may have read related to Z-Wave Association. If you're not using Association (and it's pretty difficult to do on Hubitat with most stock drivers--slowly changing, and some community drivers do offer options for this), you can ignore it entirely. If you are, what we've been told matters is that they have at least one grant in common. This is also something you can't see during pairing anymore, but if you're pairing, say, a Zooz dimmer with S2 Authenticated, in the past you would have likely seen the S2 Unauthenticated and S0 boxes checked as well (with a caution not to uncheck anything if you don't know what you're doing). The hub will always use the highest grant, S2 Authenticated, but Association should work as long as the other device(s) have at least one grant in common--which is where those other checkboxes mattered. (Now it will pair with the default options and no choice, I think. You can check after pairing by de-coding the "S2" value in device data to determine which grants are present...with some math.)

Or so it goes theoretically. :smiley: I don't know if anyone has tested this exactly, but with how many sensors out there that don't support S2 Authenticated, I'd be surprised if it didn't work...

1 Like

Thats only needed if you want to use direct associations.

There is a new hardware version, I just got mine in the mail this week but it does have the QR code with the DSK inside the lid which usually indicates it will use S2 Auth.

1 Like

On the instructions included in the sensor's box it mentions few times that is has S2 authenticated security with latest chip blah blah. When using smart start I have tried the following: selecting all the options up to S2 authenticated or selecting only S2 authenticated, both did not work. The manual add never prompted me for pin.

Yep, same. I have received mine recently as well (after they recently restocked it). It has the QR code with the underlined pin on the lid of the box.

I honestly don't see the point in the overhead of encryption with devices like that anyway. If someone wants to sniff what light I just put on that's fine, but face it... At that point they're parked on the street and close enough to look at the house to see I just turned on a light or what have you. Sure keeping locks encrypted is good but if they really want it, well, there is the side window to get broken... I'm just of the opinion, less overhead the better and concentrate on where security is actually needed. Again, JMO

1 Like

Especially on a multi-sensor that are sending multiple reports at once. That gets to be very traffic intense for the mesh if you do this with multiple devices.

My network is a lot happier since I switched to all unauthenticated except for the 3 door locks which require S0 (too old for S2).

Thank you for sharing! Do I have to remove and add all the devices in order to change the authentication?

I have been using Zooz 4-1 sensor as S2 authenticated and the speed is good enough for me, there is literally no delay. I just want to keep m network consistent with S2 Authenticated if possible.

Mine has the QR code and PIN on the outside of the lid, but neither of those means S2 Authenticated; it's just a byproduct of needing to support S2 and SmartStart, which has been required for certification for some time. But I didn't know about the hardware revision--that's interesting! I didn't expect this sensor to get much love since it sounded like just a stopgap until they got the 700-series 4-in-1 out, which they do now. :slight_smile:

There is no reason to do so. Mix and match is perfectly fine. S2 and S0 can repeat for no authentication, and no authentication can repeat for S0, S2 and so on.

Unfortunately, yes you would have to remove and include again. There are a few ways to do this without wrecking all your automations and dashboards and so on.

I think changing security all involve using a different Z-wave controller or Z-wave capable hub to reset the device. Whatever you do, do NOT exclude the old device as the first step. I reset mine with my C5, and brought them back into my C7 by doing a Z-wave "Replace" on the Z-wave Details page. Alternatively, you could bring them back in as a new device and use the Hubitat Swap Device app. Again, if you first remove the device from Hubitat to do this, you lose this device in all automations and apps, so be very careful if you attempt this.

I have just reviewed a previous post (S2 authenticated or unauthenticated for Range Extender) that I found in the community and it seems that as long as I am using S2, regardless of authentication offers the higher speed in comparison to S0-S2 combination. Just in case I am checking with Zooz if the sensor is supposed to offer S2 authentication or not. I will let you know once I hear from them. Thank you for the help and discussing this with me. I appreciate the different viewpoints here as I am still newbie into automation world.

I would like to see that thread. Link?

The Ring Range Extender has a specific requirement for S2 pairing to report (if memory serves correctly) power status and internal battery status. If you don't want that, you can pair without security.

And S0 does slow things down, which is why there is a longstanding recommendation to only use it when necessary, like for door locks.

I'm not exactly sure what you mean here, but Z-Wave supports the same speeds regardless of S2 or not: 9.6 Kpbs, 40 Kbps, or 100 Kbps, depeding on generation (only Z-Wave Plus and newer devices, i.e., 500 series and newer, support 100 Kbps) and network conditions (e.g., lower speeds will be used to maximize range when needed). S2 adds a bit of overhead and may make some things actually slightly slower in effect, though S0 has significantly more and is why it's generally recommended to avoid it unless absoutely necessary (e.g., older door locks).

That being said, like @jtp10181, I normally join my devices to my network with whatever security is default (except S0 if I don't need it--some devices need a secondary controller to make this possible, but even small number of those shouldn't hurt). This was what the UI encouraged for a while and what I figured most users would do, so I wanted to test an environment similar to that. :slight_smile: (It's also probably what Silicon Labs really wants, reality be darned...) My network works pretty well for me, especially after some Z-Wave updates that were not in the original C-7 hub (and the most recent update in particular may help a longstanding issue some users faced that Silicon Labs only recently acknowldeged).


Here is the link: S2 authenticated or unauthenticated for Range Extender - #15 by marcaronson408
post #15

Now when you said that, I looked at Zwave details and you are correct, I see the S2 unauthenticated sensor paired with speeds up to 100kbps including another sensor which has S0 connected at the same speed. So, maybe you helped me bust a myth :slight_smile: