Security S2 has three security classes including S2-AccessControl, S2-Authenticated and S2-Unauthenticated. Why use the least secure method knowing it is not authenticated by the DSK?
The Z-Wave Security-2 (S2) Command Class supports many application spaces. The S2-Unauthenticated class enables secure applications at the low end of security scale provided by S2.
While the S2-Unauthenticated class is less secure than other S2 classes, it still represents a significant improvement over the protection level that can be achieved with the original Z-Wave Security-0 (S0).
The S2 Unauthenticated class enables the deployment of simple networks with very constrained network controllers. One example is a wood cabin, where a battery powered wireless wall switch controls a few LED bulbs running off a car battery and a solar panel. The wall switch also acts as the network controller, but as it has no QR scanner and no keypad for decimal entry, it is more convenient to only assign the S2-Unauthenticated class key to the LED bulbs.
Z-Wave certification will prohibit some products from operating via the S2 Unauthenticated class. This includes gateways and door locks. In other cases, manufacturers may decide that their particular application needs a protection level of at least the S2-Authenticated class.
Products may be designed to accept multiple S2 classes. For instance, a full-functional LED bulb may accept joining the S2-Unauthenticated class as well as the S2-Authenticated class
However; Device manufacturers not making access control devices should aim at including their devices in the S2-Authenticated group to maximize network security.