Let me try to draw an image to explain why your comment below is a great oversight.
Tbh I really do not see any use for the button / link "forgotten password", unless the user has entered an incorrect password before.
Imagine a scenario where users arrive at your application after a while and do not remember the password. It means that they already know that there is an account, but they have not used it in a long time, so they have definitely forgotten the password.
In this scenario, the first thing you would do is …?
They will look for a password recovery option that is something in the lines of an option "I forgot my password".
In such condition, the user has not yet entered an incorrect password, but needs that option
Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.