Link. Trick user into entering the token value into a web form — in addition to credentials.