diff --git a/warrant/__init__.py b/warrant/__init__.py
index 2a0c2313..e785b25d 100644
--- a/warrant/__init__.py
+++ b/warrant/__init__.py
@@ -365,6 +365,12 @@ def admin_authenticate(self, password):
             AuthParameters=auth_params,
         )
 
+        if tokens.get('ChallengeName') is not None:
+            if tokens.get('ChallengeName') == aws_srp.AWSSRP.NEW_PASSWORD_REQUIRED_CHALLENGE:
+                raise aws_srp.ForceChangePasswordException('Change password before authenticating')
+            else:
+                raise NotImplementedError('The %s challenge is not supported' % tokens.get('ChallengeName'))
+
         self.verify_token(tokens['AuthenticationResult']['IdToken'], 'id_token','id')
         self.refresh_token = tokens['AuthenticationResult']['RefreshToken']
         self.verify_token(tokens['AuthenticationResult']['AccessToken'], 'access_token','access')
diff --git a/warrant/aws_srp.py b/warrant/aws_srp.py
index 3b53f34e..686092f2 100644
--- a/warrant/aws_srp.py
+++ b/warrant/aws_srp.py
@@ -194,7 +194,7 @@ def process_challenge(self, challenge_parameters):
         if self.client_secret is not None:
             response.update({
                 "SECRET_HASH":
-                self.get_secret_hash(self.username, self.client_id, self.client_secret)})
+                self.get_secret_hash(user_id_for_srp, self.client_id, self.client_secret)})
         return response
 
     def authenticate_user(self, client=None):
@@ -235,10 +235,20 @@ def set_new_password_challenge(self, new_password, client=None):
                 ChallengeResponses=challenge_response)
 
             if tokens['ChallengeName'] == self.NEW_PASSWORD_REQUIRED_CHALLENGE:
+                challenge_parameters = response['ChallengeParameters']
+                user_id_for_srp = challenge_parameters.get('USER_ID_FOR_SRP')
+
+                if user_id_for_srp is None:
+                    user_id_for_srp = self.username
+
                 challenge_response = {
-                    'USERNAME': auth_params['USERNAME'],
+                    'USERNAME': user_id_for_srp,
                     'NEW_PASSWORD': new_password
                 }
+
+                if self.client_secret is not None:
+                    challenge_response['SECRET_HASH'] = self.get_secret_hash(user_id_for_srp, self.client_id, self.client_secret)
+
                 new_password_response = boto_client.respond_to_auth_challenge(
                     ClientId=self.client_id,
                     ChallengeName=self.NEW_PASSWORD_REQUIRED_CHALLENGE,