Let me try to paint a picture to explain why your comment below is a huge oversight.
Tbh I don't really see any use for the "forgot password" button/link, unless the user put in a wrong password before.
Imagine a scenario where the users come to your application after a while and they don't remember the password. It means, they already know that an account exists but they haven't used it in a long time so they have definitely forgotten the password.
In this scenario, the first thing they'd do is ... ?
They will look for a password recovery option which is something in the lines of a "Forgot Password" option.
In such a condition, the user hasn't put in a wrong password yet, but they need that option
Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.