User authentication systems (in short authentication systems) have wide utilization in our daily life. Unfortunately, existing authentication systems are prone to various attacks while both system security and usability are expected to be satisfied. But the current research still lacks a thorough survey on various types of attacks and corresponding countermeasures regarding user authentication, including traditional password-based and emerging biometric-based systems. In this paper, we make a comprehensive review on attacks and defenses of the authentication systems. We firstly introduce a number of common attacks by classifying them into different categories based on attacker knowledge, attack target, attack form and attack strength. Then, we propose a set of evaluation criteria for evaluating different kinds of attack defense mechanisms. Furthermore, we review and evaluate the existing methods of detecting and resisting attacks in the authentication systems by employing the proposed evaluation criteria as a common measure. Specifically, we focus on comparing and analyzing the performance of different defense mechanisms in different types of authentication systems. Through serious review and analysis, we put forward a number of open issues and propose some promising future research directions, hoping to inspire further research in this field.

用户认证系统（简称认证系统）在我们的日常生活中有着广泛的应用。不幸的是，现有的认证系统容易受到各种攻击，而系统安全性和可用性都有望得到满足。但目前的研究仍然缺乏对各种类型的攻击和用户身份验证的相应对策的深入调查，包括传统的基于密码的和新兴的基于生物识别的系统。在本文中，我们对认证系统的攻击和防御进行了全面的回顾。我们首先介绍了一些常见的攻击，根据攻击者知识、攻击目标、攻击形式和攻击强度将它们分为不同的类别。然后，我们提出了一套评估标准来评估不同类型的攻击防御机制。此外，我们通过采用所提出的评估标准作为通用措施来审查和评估现有的检测和抵抗身份验证系统攻击的方法。具体来说，我们专注于比较和分析不同类型认证系统中不同防御机制的性能。通过认真的回顾和分析，我们提出了一些悬而未决的问题，并提出了一些有前景的未来研究方向，希望能激发该领域的进一步研究。