In this paper, we investigate the PHY-layer authentication that exploits radio channel information to detect spoofing attacks in multiple- input multiple-output (MIMO) systems. We formulate the interactions between a receiver and a spoofing node in the spoofing detection as a zero-sum game. In this game, the receiver chooses the test threshold of the hypothesis test in the PHY-layer authentication to maximize its utility based on the Bayesian risk in the spoofing detection, while the adversary chooses its attack frequency, i.e., how often a spoofing packet is sent over multiple antennas. The unique Nash equilibrium of the static MIMO authentication game is derived and the condition for its existence is discussed. We investigate the impact of the number of antennas on the performance of the dynamic authentication game. We propose a PHY-layer spoofing detection based on Q-learning for MIMO systems to achieve the optimal test threshold in the spoofing detection via trials, and implement it over universal software radio peripherals. The performance of the spoofing detection algorithm is evaluated via experiments in indoor environments.