External people can't open files with Sensitivity Label encryption.

Authentication is with the rights management service, not your tenant. This happens to check if the user seeking access matches any of the access rights granted by the label and to secure a use license to be able to decrypt the content. The solution is therefore to add an access right in labels that you want to protect files circulated externally to grant limited access to external users. Sensitivity labels support a special group called "All authenticated users" that will allow anyone who has an Entra ID account to access content, or you can add access for specific domains or user names (like microsoft.com or tony@contoso.com) to allow whole domains or certain external users to access the content. Whatever you do, don't grant broad access rights to external recipients unless you're happy that those recipients should have a high degree of control over sensitive information. Limit the access rights to view (and maybe edit in some circumstances) and you should be OK.

All explained in chapter 20 of the Office 365 for IT Pros eBook...