Your question can be devided into three parts. Two are directly related to security in WCF and one is out of scope.

Authentication and authorization – yes this is possible. WCF offers several settings to allow authenticating client and provide its roles. You can also build your own. The most common scenario for authenticating clients which are not in your AD domain is using user name and password credentials with custom validation on service or using client certificates.

Confidentality and integrity – because of your consern about security you should also involve secure transport of credentials (and message data). If you do not provide secure transport anybody on the network will be able to sniff communication and steal credentials (or data). Attacker will also be able to intercept communication and modify transported data. To secure communication you need transport security (TLS,SSL / HTTPS) or message security – in Internet scenario provided by certificates.

Securing credentials on client – this is mostly out of your control. Once you deploy client application with credentials to client machine which is not under your control you can never enforce security of provided credentials. It is up to your users / customers. If you somehow include credentials in your application skilled end user / attacker will probably always be able to get them. But this is problem of every secure solution – somebody must have access to credentials.