Information
The authentication_type='EXTERNAL' setting determines whether or not a user can be authenticated by a remote OS to allow access to the database with full authorization. This setting should not be used.
Rationale:
Allowing remote OS authentication of a user to the database can potentially allow supposed 'privileged users' to connect as 'authenticated,' even when the remote system is compromised.
Solution
To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke.
ALTER USER <username> IDENTIFIED BY <password>;
Notes:
The PASSWORD keyword (column) used in the SQL for prior Oracle versions has been deprecated from version 11.2 onward in favor of the new AUTHENTICATION_TYPE keyword (column) for the DBA_USERS table. However, the PASSWORD column has still been retained for backward compatibility.