In order to overcome the difficulty of password management and improve the usability of authentication systems, biometric authentication has been widely studied and attracted special attention in both academia and industry. Many biometric authentication systems have been researched and developed, especially for mobile devices. However, existing biometric authentication systems still have defects. Some biological features have not been deeply investigated. Existing systems could be vulnerable to attacks, such as replay attack and suffer from user privacy intrusion, which seriously hinder their wide acceptance of end users. The literature still lacks a thorough review on the recent advance of biometric authentication for the purpose of secure and privacy-preserving identification. In this article, we classify and thoroughly review existing biometric authentication systems by focusing on security and privacy solutions. We analyze the threats of biometric authentication and propose a number of criteria with regard to secure and privacypreserving authentication. We further review the existing works of biometric authentication by analyzing their differences and summarizing the advantages and disadvantages of each based on the proposed criteria. In particular, we discuss the problems of aliveness detection and privacy protection in biometric authentication. Based on our survey, we figure out a number of open research issues and further specify a number of significant research directions that are worth special efforts in future research.