Well, we can really only speculate as to the exact nature of the key system.
There's likely some sort of web API that's called whenever someone buys the game. That then generates the key (Somehow, we don't know how) and emails it to the buyer. Nobody except Badspot (and maybe a few other very close friends/devs) knows where exactly it's located and how to invoke it besides buying the game in some form.
Then behind the scenes, it would put it into some form of master database that contains two or more tables, one that has (key, name) pairs, and one that has (BLID, name, IP) triples used for currently authenticated players. The exact frameworks and types of databases used are a mystery; there are dozens of different ways to make something like this that are all equally valid.
There might also be extra tables for which BLIDs have already been bought, which would mean that deactivating a key would simply remove the relevant (key, name) pair, making it impossible to authenticate with it.