Some rationale is presented in https://bugzilla.mozilla.org/show_bug.cgi?id=97811#c59 through 62. The general idea is that changing fonts can make things "feel" less like a password control to the user. Since we already are restricting these to a single character, restricting the font makes sense.
So what aspects of the font would we want to prevent from changing? The size? The family? We were talking about the family in bug 97811, right? A second problem is what font face do we force, exactly? Should it be different on different OSes?
You need to log in before you can comment on or make changes to this bug.